 Hi everyone. Thanks for being here. My name is Fx, I'll final it. And we're going to talk about analyzing complex systems, which is essentially like when you want to hack something that's a little bit bigger than your arbitrary broken Windows server or something. How you're going to go about that, how you should approach that. And we're like shown that on the case of our research on Blackberries. So when you start looking at something a bit more complex, the first thing you do, you have to do is get an idea of what the entire picture is. Here's the reason why. Or there's actually, yeah, the core reason being you see something, and in our case it was those little devices in the hands of people in way too expensive suits used all over the place. And you see those devices and you think, wow, that got a CPU in it and it's used by people I don't like so I want to hack it. It is a very good motivation, but you should not just go ahead and like beat someone up and like steal his device and try to hack this device. I'm not saying that like beating up people is bad. I'm saying that you should not go for the obvious part of the system because there has to be more to it. Obviously, like if you have a device like a Blackberry, there has to be some infrastructure existing that this thing is running on. It's not a standalone system. So what you see is also probably the thing that whoever made this device concentrated on when they tried to put some security in there. So basically the defending side was probably also focusing on what everyone sees, what everyone has in hand, in this case, the device. You have to look at the bigger picture to really see what is a promising attack vector. The problem is like if you have a complex system that contains lots of stuff like many servers, many infrastructure elements and so on and you don't, you're not a three-letter agency, then you don't have unlimited resources. We all have lives like even hackers have to sleep and have to get drunk and stuff. So we don't have unlimited resources for research. So we have to focus on something and that's better something that gets you somewhere. Also, you need additional resources apart from yourself and your brain which is required for hacking just for the record. You need hardware. In the case of Blackberries, you actually like obviously need a Blackberry. You need software possibly. You need infrastructure and accounts. So again, in the case of Blackberries, you have to have an account on some system that you can forward your email to. Of course, you need to obtain this account. I'm not saying you need to buy it. You need to obtain an account that you can work with so you can actually see how the system works. Getting what you need might actually take time and there are consequences to that which should be considered before you go on. So can you afford to invest money? Are you poor as all or not? How much can you afford? Are you crossing legal lines if you're getting stuff? Like when we got our hands on the software to look at like the enterprise server, it wasn't strictly legal because we didn't strictly buy it. The next very important thing is can you afford that your potential target knows that it's under attack? For example, if you're looking for vulnerabilities in let's say Gmail and you're writing a fuzzer for email content and you're sending lots of crappy emails to Gmail and Gmail goes down, it is fairly likely that day after like the fifth or sixth system crash start investigating, so your target in this case would know it's under attack. And all that like especially the target knowing to be under attack and crossing the legal lines, there's also the question of do you care? It doesn't make any difference to you. So the big picture for RIM is you start with identifying all components in the system. So first you're getting official data that's the big picture that RIM puts out in documents. So you have handhelds like the native handhelds and you have third-party handhelds running RIM stuff. You have several data networks, GSM and other mobile networks. You have the internet, big bad internet, you have a firewall, some hole in the firewall of which you don't actually know what the hole is. And then you have all the server infrastructure on a potentially corporate site. So you have the wireless services, you have like the email servers on the left, you have application servers, web application, all that. When you see stuff like this, when you obtain documentation about your potential target, go ahead and build an abstract view of that. Like don't eat the data you're fed, just try to get your own picture. So that's the abstract idea of a RIM network set up here. So you have the evil blackberry to the right, then you have the GSM network, we're German so we're living in like GSM land. You have provider site servers that are obviously somehow specialized. It's something related to RIM. Then you have the RIM secret network over here and the border systems, they're called SRP in different countries, UK, Canada, somewhere else. Then you have a corporate network site with an enterprise server and the enterprise server management software to that. So that's again something in a system, there's always some part of management software because none of the software you can buy today is actually carefree. Most of it is actually quite a hassle to get to work. And there's always some poor guy administrating this and he's always having some poor Windows system and that needs to be considered as well because it is a potential attack vector. And then you have a connection from the corporate networks somehow over to RIM. So when you break this down then you get like handheld devices, mobile network, RIM network, internet-based communication which is this little communication line that we've seen here and you potentially want to know what the protocols are. You have a Blackberry enterprise server, the connectors to the mail servers and you have the management tools. So you can reclassify them because unless you know exactly what you're dealing with you need to classify the elements, you need to find out what you're actually looking at. So the handheld device is for example an embedded system. It's obviously proprietary hardware. It has a real-time operating system because that's required to run a GSM engine and it obviously has Java because the applications are slow. You have a mobile network, GSM 2.5 or 3G GSM network. You have a RIM network of which you don't know anything but it's fairly likely that it's IP-based. You have the internet-based communication which is certainly going to be IP but there is some proprietary stuff going on in there. You have the enterprise server connectors and connectors which is like Windows-based service software. It's closed source but it is a Windows environment so we know how to debug it, how to disassemble it and the same holds true for the management tools. And then you need to look at the accessibility. Like can you get your hands on the stuff? Handheld devices for example. Well, it's doable. As I said, you can take them off people you don't like or you just buy one. The mobile network, the GSM network, while it's obviously a well-defended network, it is hard but it is possible to break into a GSM network and take it over. That would be an attack vector. The RIM network is probably a lot more doable to get in. Like do you just have a bunch of ODays sitting around breaking into the RIM network but it is illegal. Internet-based communication accessibility is there so if you have a working installation of an enterprise server you can sniff obviously the traffic and start reverse-engineering it. The BlackBerry Enterprise server and connectors accessibility is there. There are tons of companies running this stuff. This is why we are looking at it. So you just call someone up and friendly ask can I have this CD please. And then like accessibility in more details is IDA so disassembling it, that's doable and the same for the management tools. And then the most interesting part of that is what's the impact? Like use it down, consume whatever drugs you really like and imagine you're already done. And think of what's the impact if I like on this attack vector are successful and implement a successful attack. So for the handheld devices for example it means you potentially have information disclosure in the form of reading some CEO's email and potentially you have remote control over the device so you can maybe you can put up point screen savers or something but it is a attack that's targeted on a single user definitely because it's a single device. For the mobile network well you could do a lot of stuff in the GSM network but then again yeah that's maybe just a little bit a too big attack factor just to own a blackberry. For the RIM network if you take over the RIM network or the core systems you become RIM so you can do whatever you want. For the internet based communication if you successfully hack that and reverse engineer that then you can implement the protocol so you can talk to RIM and you can talk to the enterprise service. Which enables you to for example do brute force attacks we still don't know if there's a password in this protocol or not but if you talk to protocol then you actually have the ability to write your own tools and to automate your attacks. For the blackberry enterprise servers if you have a vulnerability there and you can exploit it then you get code execution on a host OS and you're owning a centrally placed server which sounds pretty useful and for the management tools you can modify the policies that are pushed on the handhelds you can send messages to everyone whatever that's worth and you could remotely install software on the handhelds. So when you draw this all up into into one diagram then you can see the ease of access and the impact of what you do and essentially place every single item and then look at the connections how those things are connected to each other and then it's absolutely clear that you should not just concentrate on the handheld but you should concentrate on the enterprise server. Now after all this abstract thing short summary why you should go for the enterprise server the enterprise server is sitting in the corporate network right next to the mail server because it needs to be connected to the mail server. It talks to the outside it handles email which is a communication vector that we all know how to use and we all know that like the sender can be modified and there is absolutely no way for the enterprise server to not take someone's email because well it is an email system so it's supposed to handle email and if you own it then you get like everything. So after you have the abstract picture get the details. So it is important to figure out if like how feasible is a attack like sending email is very feasible breaking into a gsm network probably not what you need we already covered that and how illegal it is and even here sending email is like the more preferred way because it might be illegal if the email actually contains an exploit but let's face it you're hard to get. So for the handheld devices what we did to verify the details we checked what's there in terms of software so there is a simulation environment available of rims so you get an emulator you get a developer SDK the current version is for java the older version is for c so it's obviously more interesting but it was limited and to people in the US and Canada and that's again an accessibility question yes even I know people in the US and Canada and yes I can call them and say come on send this fax over to rim and get me the software which someone did so here again accessibility is not always a big problem then we have desktop software available there is sync software and this third party code there products that you can put on your BlackBerry so you can take this code and look into it and find out what the API calls are how powerful the API is because the product has to use the API to actually make something do something and the more powerful the product is the more features this product offers the more interfacing into the operating system of the handheld has to be there and by looking at the third party product you can actually figure out how much there is for the protocols you look on how many communication channels are used who initiates the communication is it UDP is a TCP how much encapsulation are you looking at the encapsulation and how variable the protocol is it's very important for finding vulnerabilities in it because if it's like a multi-level encapsulation stuff then you can assume they're going to be multi-level pausers in the software which are maybe not written by the same person so you have potentially interfacing problems between one layer and the other we've all seen that and other products happening if it's a flat protocol design like one huge structure then the code for that is probably looking the same and it's probably like written by one crazy Russian and no variable has more than two characters and stuff which indicates different bug classes the same for the variableness of the protocol like if you have multiple length fields and it can be like you have yeah length fields are really important or you have different encodings then there's lots of stuff that can go wrong for example on SAP the protocols are all fixed sites like everything is pretty much like eight characters white you don't find overflows in something that's fixed to eight characters and then of course you have to look at how the software is designed like is it running in user land is it running kernel is it running system service how much components how many components are you looking at and especially what are those components doing again if you have a piece of software let open support in user land and you have another piece of software that opens support as a kernel as a service as a system service then you should look at the one opening a port as a system service because if you own it then you get higher privileges and what are the building blocks of the software what libraries are used who develop which component is everything like by this one vendor or not what programming language is used for example in reverse engineering it really sucks if you take a a server software part and then you realize it's Delphi because IDA is just like failing on you and nothing works anymore and all your tools don't work anymore so and of course where's the interesting stuff stored like does it have its own crypto containers or does it just throw everything into registry and blah blah blah more things to look for is history how old is the stuff like where does the component come from when was the first release was there any major rewrite check the press releases they're going to tell you um someone walked up yesterday to me and said another very interesting source is um you shouldn't go to them if they like have patents for their stuff um especially for the communication protocols and stuff um then you can go to the public website and download the patents and actually see how this whole thing works um and the documentation like what are the setup requirements what is troubleshooting officially how it is supposed to work and what are people actually using like check the forums um see if some lame ass administrator said yeah this is the troubleshooting procedure but it never works so I just reboot the box or this this and that procedure actually does work um because it again tells you who are you dealing with if those people managing the systems are let's put it this way less talented um then it's less likely that they're going to notice another administrative account on their system step three um work this is just um yeah there's there's nothing to say about that um it has to be done so reverse engineering takes time um taken apart networks and protocols takes time so and then you get results so the first thing that we did with the handheld um was stripping it it's it's pretty much the same approach as like getting married um you you know you want to see what you get so so this is um this is the back view um it actually has an um it actually has a uh what's the fun what's going on here bye bye applause for the guys come on got a lot of dev con so it was cool so essentially by taking the stuff uh taking the cover itself we actually figured out what cpu is in there because like the the csdk that we um downloaded and we wanted to work with indicated that it's actually in x 83 x 3 x 86 is the cpu name um turns out it's actually arm so they're running on an arm cpu um in analog devices chip and then there's another very interesting part on this picture um we suspected that where's my laser pointer okay so like next to the you see where the gsm card is supposed to go in um next to that there are a few little pins um our suspicion was this might actually be jtech so um it is again a possible attack vector that's the backside um no the front side that's pretty boring so as I said turns out its arm um it actually has different in real time operating system kernels so um when we took the first one apart um we found a katak amx4 kernel katak is a um company that sells real-time operating system kernels and when we later talked to rim and it was a big surprise to them um and I'm like wait a minute it's your product um but it turns out like every single device actually might have its own kernel so this again shows you that the device as an attack vector is probably not very good because we have a situation like where sysco where every single device has a different core so if you find a vulnerability and you've write an exploit for it it's going to take you a lot of time and you can only own one type one series of devices and when they come out with a new series of devices your exploit doesn't work anymore um then it turns out that the way they built the operating system is you have a core operating system binary that's called rimos exe um and it's actually a real pecov format like on windows like exe and dl files just compile for arm and then everything else like the java virtual machine are modules in a form of dl files linked into this main exe file so the entire operating system in terms of memory setup looks um like one like one process like one application on a window system the java virtual machine as I said is loaded as one um binary module it's actually the largest one and I think in the recent black barriers it's the only binary module that's loaded um from the kernel um it is actually made by rim so they're they're different java virtual machine implementations like from sun and from hp and from ibm and so on and rim did their own implementation so it's actually worthwhile to look for virtual machine box in a java virtual machine um and see if you can make something happen on a device unfortunately um there is with the java classes um there is not a full set so you don't have the reflection api for example and for that you get like tons of rim classes the rim classes are used to communicate with the device to like show something on a display or get some user input or like talk gsm or send an email or whatnot and as soon as you want to instantiate a object out of the rim classes it actually checks the signature of your application and your application has to be signed by rim now how that works is um you write a piece of code and then the development environment is going to um take a hash of your um job package and then this hash needs to be sent to rim and you need to get an account with rim that costs you a hundred bucks once one time um and you pay this by credit card the idea behind this is where our suspicion is that um they say well if we ever have a binary that's doing evil shit on our blackberries like they have a blackberry warm or something then we have the hash of the binary and since the guy paid with his credit card we know who it is and we can bust him um which works in a world that doesn't have stolen credit cards um so yeah um it's not gonna do that but anyway that's the procedure we didn't find a way to get around um the signature checking of the binaries um also the firmware is checked um is signature checked so what happens is when you load the firmware um the loader software on the pc side will actually verify the signature and i'm like okay this is easy um so here is the shortest ida manual ever if you want to crack this site of the um authentication um then you just go search for the string um signature cross reference at once and you find the code situation and then like this is this is the jump that you need to not take um unfortunately the device itself is going to check the signature again so um we after finding that out we had a device sitting there just blinking red and not doing anything else anymore um we found uh vulnerabilities in the jut parsing it's actually not a bad thing but it it's funny because um i think it's three years ago i talked about embedded systems and i mentioned a semen's phone that would crash if you would access a jut file with a long midnight name or vendor name and it turns out the same happened for the blackberry browser i just found that's really funny other things are as i said jtech is a hardware debugging mechanism um that's in embedded systems widely used um where you can do sub cpu debugging um of course finding jtech on a blackberry is an interesting thing because you could circumvent the signature checking and get your own software on it um looking for jvm bugs looking for bluetooth um vulnerabilities um and like accessing memory on the device via the loader the jtech this is actually work in progress this picture was taken before we flew over um so hunts actually developed a jtech finder and at ph neutral we actually found the jtech connectors so the pins i showed you earlier are actually jtech and so i had someone build me a jtech cable for that and this is my new wired up blackberry um unfortunately as i said that's brand new so we haven't done any work on that and the problem is when i power it on it goes like um so i think there is still some something at miss with the with the electronics um the protocols i'm gonna skip a bit over them because we we're running out of time i guess um they're not too interesting actually um it turns out it's a multi-level encapsulation so um the other side is srp chunks like um you have a srp header and then you have several chunks in a protocol and then you have a tailor and that's it um they have two different types um we looked at them and and saw okay there is one type um that's called 53 hex and one type that's 49 hex and then we saw that we're dealing with integers and um so we went on and later on when we looked at the decodings we actually realized um it's a capital um s and a capital i for string and integer uh da so that's in that's a case where that shows you that when you reverse engineering stuff sometimes the obvious solution is actually the right solution um this is here srp opcodes um this is also stuff that still needs to be played with because um we didn't so far um there are many things that we find fairly interesting especially um stuff like config or info um that's the communication between the enterprise server and rim so um yeah i assume you cannot remotely config rim but probably there is some functionality in there that still it's worth playing with this is the session setup when an enterprise server gets online and wants to talk to rim um it goes ahead and like the client in this case the enterprise server talks to the rim server and sends a system id and gets a server challenge back um and then sets a client challenge over there and it gets hmec sha1 transformed srp key um and that's basically the authentication so what happens here is you have a thing that's called srp key that you have to configure in the enterprise server it looks like the cd key it's actually like it's going to ask you during the installation please enter the srp key here um which looks like xxx dash xxx and so on and then um when the server is up and running and setup then you see in the main dialogue this srp key always displayed so everyone assumes it's like your typical cd key um from like everything else like when you install the game or something that's not the case it's actually the secret between your company and rim many people don't get that um which has a very interesting effect um because they don't consider that a secret so um we googled a bit and we found presentations from people um showing like this is how we installed the blackberry enterprise server version 4 uh on screenshots of course including their srp key um which will enable you to like become this company in when you talk to rim and like take over their entire email communication um and that's very interesting because um this key is used for like everything authenticating the company to rim and back everything is based off this srp key we're going to see re re cd srp keys several times on this presentation um but the most interesting thing is just like a communication or wrong communication um of rim site to their customers it is their secret it is their password then in a protocol um for a message you have the gateway message envelope um that's the routing information so you have the source um sender and the destination where the message goes and those are in the form of pins when we talk about pins here it's not personal identification number um but what does pin stand for okay the rim guy doesn't know um it's actually the device number so every every device product identification number okay every device every rim handheld um has a pin it's quite a long number it's hex i think 16 characters or something and this is how they do the identification of the device so like the mobile messages the pin messages have a source and a destination pin and a message id and it looks like email this is the format i'm going to skip that it's in a slide in case someone wants to heck with that um application layer information is on top of that so it's going to tell you if it's a message c-mime or if it's a calendar update or if it's a it policy update the it admin messages also um have um capabilities to reconfigure the devices the handhelds they also have the capability to remotely wipe the device um so if you can spoof one of those messages it's really really good but you need the srp key for that then we found out that specific pin messages are not encrypted pin messages are device to device messages by per se and those are encrypted but if you're sending a pin message from an enterprise server to a blackberry then it's not encrypted and there's also if you're sending a pin message out of the um blackberry api from the device to another device you can easily make it wrong and it's not encrypted so if a third party product tells you there is encryption going on because we're using pin messages it's usual question that um so this is the c-mime format so the whole thing looks like this um you have the is or um des encryption you have the key id in clear text you have the session key encrypted with the device key um the message is compressed and decrypted with a session key um actually the compression is quite something weird we looked at it um not a hundred percent sure we figured out what it is but it's not something standard um and we successfully implemented a packet dump message um um yeah i got a let's be there bye honey time difference she's from Germany um so we incommended a um message decryption script uh beer free beer so if you have the srp key if you successfully stole an srp key of someone um then we can give you a pearl script so you can read just someone's email um what about the crypto um apparently this crypto is pretty good it's certified um we looked at the implementation the implementation looks pretty solid um on the enterprise server as well as on the handheld um we are no crypto people so um the crypto details need to be um revised and and rechecked by someone else this is how the dumps look decoded um here you also see the i and the s in a in a message chunks and you see the pin messages um the pin ids sender and receiver which of course enables you then um to do traffic analysis if you're reading someone's messages someone's traffic like um their smtp traffic and their srp traffic meaning you own their border router or something and we're here that's doable um then you can actually relate by you send in an email to ceo at evilcompany.com and you see a pin message going out to a certain pin you repeat that three times and it's always going out to the same pin you know the um product identification number of the ceo's device which might be useful in later attacks um protocol based attacks um in the srp session setup you can of course if you have someone else's srp key let's say from as i mentioned it from googling for their presentations um you can of course connect to rimman say hi now i'm this company um what's going to happen is that both sides first of all you have to make um the other connection to drop but that's easy we can do that um for example tcp windows slipping or reset storms you can drop a tcp connection then you connect and then you are this company um and you get their email if um if you have a war because the server is trying to reconnect as well then you're causing a rooting problem because rim cannot decide which one of you two is the right one so it cannot decide how to send the messages or where to send the messages so what happens if you do that more than five times this um this srp key gets blacklisted the interesting thing here is there is no procedure for unblacklisting it automatically or notifying the one who got blacklisted so what by talking to a consultant who's usually setting up um enterprise service he told us see um we had this problem before so they had a test system and a real system and they turned them both on and then they didn't have blackberry for a week and they tried to figure out what's wrong they just couldn't get connection to rim and after a week they called rim and they're like yeah you're blacklisted um we could whitelist you again um but there is no notification procedure so if you played a straight to someone um they don't have email for a week or two um protocol based attacks on the other hand can also have as I said vulnerabilities unfortunately the protocol is not very powerful um but even in a simple protocol they um managed to fuck it up so um the string the string fields have a length field and this length field has an integer overflow so if you put a length value of minus five in there um and you connect um to your enterprise server and send this packet then the enterprise server is running in loops and taking 100% CPU and stuff um since we have clear text pin messages and we know um how to send them because we talked to protocol we can now spam people so we can go sequentially um through all the pins that are on the planet and just send everyone a message um and since it's clear text we can also just spoof the sender so there is um rim is actually coming up with a new version um of the handheld software that's allowing you to block clear text messages because there's right now no other way to prevent spam from happening enterprise server um this is how this enterprise server looks in detail so you have this central machine running on windows having a dispatcher mds alert service attachment service policy service management software hanging off and you have a connector to this mail system and then you have a SQL server down there now the SQL server turns out to be a really juicy thing um but of course if you want to attack something like this you go for what's having the biggest attack surface in this case when you send in email um the highest attack surface is where the email is parsed and the attachment service handles the most complex file formats it handles office documents it handles images that handle zip files so this is of course where the money is and this is where you go attacking it um first you look at what are the accounts that the machine actually that the software actually needs now here we see it needs local logon logon as a service local admin it needs read only administration of the entire exchange system and it reads needs read write administrative access on the exchange mail store in case of exchange installation so once you own this thing this is what you get for free the SQL server um turns out to be the really easiest way to break into an enterprise server especially if you're an internal attacker um with domino for example it's not set up for um integrated authentication um meaning that it would use the domain accounts of windows but it's actually using username and password combination it contains tables with individual messages and the emails all in clear text it contains a table that has the srp authentication key in clear text sitting in a database um it contains tables with all the device keys that's the keys that the device is used for encryption um the previous one the last one just in case you lost it and the new one that's going to be sent out to the device um and those keys can also be used for the traffic decryption and the best thing about it in a default installation it has a username of sa and no password so you can internally just connect um to your SQL server and get everything off it without much hacking when once you got the srp authentication key and this is how it looks like i told you it looks like a cd key um this is the transform that you need to do um before using it in decrypting traffic there's one very nice thing about the updates that rim rolls out for the enterprise server if you get an enterprise server in a default installation release version it of course doesn't have any symbols but once you install a service pack or a hotfix every file that got touched by the hotfix um is actually coming including its pdb file so you get the debug symbols um for your server software and that like makes your ida installation really happy and of course you can bind if the whole thing um and find the bugs they're already fixed looking at the code in a style um it's actually pretty good c++ code um they use massively stl so there's not a lot of string copy going on um the way they implement stuff is like they triple and um double check everything so the receiving function is actually like doing a select calling a function doing a select calling a function doing a select and then finally receiving one byte um and they're generally using signed integers so when you look for vulnerabilities there look for a signed nest box um libraries they used um for the office document parsing it's um ice stream classes then they use microsoft um ms html for for html document parsing ms xml um sdk is installed and there is a parsing product that used to be a company called horizon and then got bought by rim that's actually handling all the parsing for the attachment uh for the other attachment classes um it's parsing pdf and word perfect natively and it's parsing images and zip files um the version we looked at and by now it's it's actually updated and they're running um a recent zlib but the version we looked at is um using zlib and zip d compression was um actually code taken from the contract directory of zlib so everything else is nice and tidy c++ and then out of the sudden you open ida and you see um one thing that goes like just straight c code for pages and pages and you're like oh that that doesn't look right and it turns out it's just copy and paste um and then there is graphics magic graphics magic is in um is used for image parsing and it's um a spin off from image magic and it's fully linked and including deba code and supports a lot of formats and this is um what you can do essentially is officially supported our png and i think gif and stuff um but you can actually um circumvent the main um horizon parser that's trying to fingerprint the file it's just looking for the first three or four bytes once you got around that then you can feed all those formats into um graphics magic because graphics magic is trying to figure out what file format it is for its own following a different pattern the change lock um actually i'm gonna skip that it it just shows that the guys don't know what they're doing um essentially um there have been the expected heap overflows like image width by image height multiplied by 32 um if someone puts in like um 4.2 billion as width and 5 as a height to multiplication overflows you allocate zero amount of memory and then you copy lots of data over that and it's called a heap overflow and you own the machine um same for the png parser um as i said zlib um is used in or was used in a non-recent version um that's by now fixed but um it was exploitable in this version we looked at and then you can do stuff like this so you get um a asshole that's the international esky symbol of an asshole on the internet um sending a evil message with the evil attachment um to the attachment service owning the attachment service which owns the entire machine and then of course you don't want to get a shell i mean you can have just a shell but what you want to do is um you use the existing code in the server to obtain the srp key of the database and then you use the other existing code in a server to send your asshole an email containing the key therefore if you're running an enterprise server uh you better separate the attachment service by now rim actually put out a um white paper that is actually telling you how to do that um so that's highly recommended so assholes cannot um yeah get your keys if you have the separate and if you have the attachment server running separated um you have a control channel that's unauthenticated xml over port 1999 um which is just used for varying um the attachment service and its performance values but you can also set the amount of um the amount of processes that actually parse attachments and someone forget to put in limits there so you can set it to zero um which of course makes it a happy boring not working attachment service or you can try how many processes this window windows machine can support at the same time um mine made it up to 7 000 and then crashed so um when you're done with everything else then um of course there's vendor communication so um in this case it turns out vendor communication was a very useful thing um although it takes some effort um to get together um we managed to get together like rim and phenolate did and the result is really good because rim is reworking the reworked already the attachment service so they're no longer using graphics magic um they're actually testing all the other attachment services now um to figure out if there are more vulnerabilities in there and their customers are actually doing the right thing and like securing the database and moving the attachment service to a different machine yeah and after um you're done with all that then that's the good thing getting drunk and printing offensive t-shirts I think it's time for questions if there still are any questions okay sorry for giving such a bad talk um I was just drinking too much over the days