 Thanks for coming today to raising the security bar with garter You probably wonder what garter is and we're going to talk about that in the next few minutes here My name is Mark Schrockscher, and I'm the open source security lead at media current And what what that means is I get pointed to a lot of client security concerns or questions kind of monitor the security issues that come out on each Wednesday and other times on Drupal.org as advisories and Try to keep up with all the latest news and security and what's happening with that. It's it's a it keeps me busy But I've had a lot of roles over the years including IT and DevOps and Had had a chance to manage at times and done development. So had a lot of fun doing all those over the years again, I work at media current and We we build websites and applications that are enterprise level and they We've got a lot of great Drupal talent at media current and do a lot of fun But we were known for Drupal, but we also have UX and strategy and design and lots of other areas And and security being something that's a focus at this point, too So today kind of wanted to start out with a little bit of an agenda of what we're covering and this is mirrored on the Program page on the Baltimore site We're gonna cover. What is garter you may wonder Why use garter like why would why would you want to use this thing and what what makes it better than just rolling your own distribution or Just downloading and installing or using composer to install for d8 and a little bit of demonstration And then we'll talk about how to contribute So I think that would be remiss to not talk about contribution and I need help. Thank you So let's talk about what is garter So garter's a Drupal distribution and that is a combination of modules and projects and settings to Basically enhance Drupal security So we'll get into some philosophy on garter in just a minute Which I think is real important so that you kind of have an understanding like what you would get with garter and why that's important but The idea is that you this is a baseline that you could start a brand-new Drupal site with you're gonna get Drupal core and you're Gonna get some hardening tools for security And some additional settings that aren't default in Drupal So and a lot of this is geared towards and we'll talk a little bit about that shortly But they're geared towards the security requirements and controls that enterprises fall under so we'll kind of get into some of those but There's the project page. So you can check it out And we'll go from there. There's also a we'll talk about that in a minute But there's a garter core module that is a part of the distro that gets pulled in and controls all the settings So a little bit about the philosophy of garter One of the one of the key philosophy points that we have is the CI information security triad So a lot of times I've heard folks talk about security and they they think about maybe malware they think about You know viruses or or I need to patch a Drupal module. That's security. That's and that those are components, but there's also You know confidentiality of information, you know, are we securing databases and securing content and things like that? integrity is part of this triad is our database schemas consistent are the As a database moving between environments, you know, is everything going to All the columns and the settings and all that for databases and for other data models kind of gonna stay consistent And and not lose data for some reason that kind of thing. So and then lastly availability So probably the biggest availability Type related security thing you may hear about in the news and that sort of thing Denial of service attacks, but there's a lot more to availability like how about Engine X stain up and running that's an availability thing So those are all to me in the security Umbrella and things that we kind of will look at for garter so another Another nice reference. Oh wasp has a top-ten most critical web application risks And so these are some of the other items that that we like to That we like to kind of monitor for garter and make sure that it You know make sure that we're looking at all of these types of Security issues that can happen and you'll recognize a lot of these from security advisories And I encourage you to read those when they come out It is interesting and ask questions if you ever have questions about those. It's not it's good to know What you know, it's good to learn about security through the advisories, you know Why are we having a security update for a module or core? You know what's behind it? What was the vulnerability? That's that's a that's the thing you can dig into and so so some of these show up on those advisories, but But these there's also some other other interesting Items here and so I'll post the slides and get those out there, but You can watch past some references and you can check out those links and read all about Details on what these mean and and that sort of thing, but but we're gonna move on a Little bit into how modules are selected for garter so again garter is a distribution and it's and we'll kind of show how To install garter and how to get it running but a key component is the modules that go into garter and From a security standpoint, we want to make sure that we don't just grab every Module that just looks handy for security or you know, it looks nice and just included in something like this so So we want to be real careful about what we include in garter and these are some of the Some of the philosophy items around that so does the module fulfill a part of the CIA information tribe We talked about this triad and That is a that is a check we kind of look for Does it address one of the old boss top 10 issues? You know, it may not that's fine But it's something that you can kind of kind of use that to to evaluate also Is there a previous experience of the module? This kind of gets into you know who maintains the module and how is it maintained as their activity and issue cues? It the same kinds of things you would evaluate in the Is the so there's there's a there's an idea in security of attack surface So as we include more modules and more libraries and more components into our builds and our projects every one of those contain lines of code that can then Possibly have security issues so This is this is why you hear a lot of security folks and others and maybe lead architects who just like hey I know that module is handy, but there's not enough value in it and and we just don't want to include a lot of extra modules and That sort of thing so we really want to only include modules if it really provides a lot of key value and not just put it in there for For for just just because it's like there's someone thinks it's okay, but And the last one is a little tricky, but we also look at stable release and and this one is Is it is important, but it's good to say is there stable release? Where's it at? Is there progress towards a stable release? And and there's been a lot of discussion about this recently in the community and and I love seeing that so so, you know encourage encourage everyone to Work and to help contribute to to move modules that are important to community into stable releases so that they are covered by the security advisory policy So what would what to expect after installation of garter so what's gonna happen here? We install garter what happens, so you're gonna have a fully working Drupal installation, so that's good check All right The next thing is it's based on the standard Drupal install profile That's a current decision because it's kind of easy and that's probably what most people install with Drupal out of the box Unless they write a custom install profile Although we do tweak a few things along the way there, but and Then you're gonna have some additional you're gonna have the garter modules that are needed to be enabled on install Those are gonna be enabled some modules are including garter and they're left disabled and there's a reason for that We don't need to turn on every module, but the module may be there for a purpose may be for auditing You know, maybe it's something that not every site We feel like every site doesn't need but many sites Might need and we want garter to kind of recommend those best practices a good example in in the Drupal 7 version of garter is Two-factor authentication and we really highly recommend using two-factor authentication How many people use two-factor in some some way now? So if you're not familiar with that that's that's a method and it works You can use that with a Google and Apple and a lot of web sites use it now but it's a way where you log in with your password and then you're prompted for You may get a text message with a code or you may use something like Google authenticator or duo And then you can you'll get another code there that you'll ask be asked to put in it's a one-time code so So that's definitely a recommendation example for that and and then the and I think the most important thing that garter offers is the Recommended settings that garter provides now these settings are based upon a number of security standards and We'll get into some of that in a second, but but those the settings Mean that we're not just installing every module included in garter just default we're providing settings that are kind of embedded by security professionals and that sort of thing and And that that's a that's a great item that we could really use input on So if you help with guard we'll talk about that in the contribution but if you help with garter in any way and contribute love to have some input on the settings that we use and and documentation that points back to What recommendation someone might have like password policies and things like that? So why why do we use garter? We've kind of covered some of that loosely, but this is kind of the broad one security is hard and that's It's it's late in the afternoon, but that that's a fence that it's locked but you can walk around it so but it's But security is hard. I mean it's it's It's a challenge. We spend a lot of time on it as developers as system administrators and all that it's You know, it's it's a continuous challenge So any tools that we can use in any systems and processes and standards that we can use to make it easier is Really key really important so while security is hard and while you can lock down sites and secure them and And do those sorts of things. It's also there's also a balancing act along the way here you're balancing between you know security and usability and It makes it makes it very challenging So there's some organizations that just have they have to have extreme security controls in place And that's just the way it is there You know, there could be a government regulations could be financial sector regulations and that is You know, there's really that's all that's all they can do But also just because even if you have a personal website that you're running on Drupal or a small business website That maybe has no PCI compliance issues. It's it's could be you know, mostly informational there's no reason not to think about security on any website and I've heard people say this is important. I've heard people say that, you know, hey this website It's just informational. It's brochure where we don't need security Well, there's lots of reasons that that people could argue that down And you know one of them is if you're on a shared host and you don't Secure your which shared hosting is a is a is another challenge But let's say you're on a shared host a small website and you don't update, you know Drupal core you don't update modules when security releases come out Though that Drupal site can become a vector then to not only have someone access into the server your site But also to access other sites on the server. So you we put each other at risk about working together and I think I think this is kind of interesting and it kind of Usually makes management swallow a little harder when they see numbers like this, but you know, this this is It's not that, you know, I don't want to you know, don't want to Be up here and scare people but there there are realities There's costs to when you don't take serious security seriously And still things can happen when you do take security seriously, but at least you're prepared and you've got processes to deal with any issues hopefully that come up these these are some of the security standards and certifications and controls that that garter pulls a lot of philosophy and controls from so you may recognize some of these and I bet You know if folks in the room we probably have higher ed government You know financial sector folks that work in those you'll notice some of these you'll recognize some of these some of these You may not recognize but others you will because you have to you see these come through and tickets and issues and questions So I want to talk a second here on Drupal 7 garter Drupal 7 garter still supported. It has a stable release We have folks that are out there that use it and rely on it it is It will continue to have support as long as Drupal 7 is supported and through LTS and that roadmap and But it will have limited feature releases So we want to kind of keep it stable and not make a lot of changes at this point Well, we I welcome issues and the community that works on it would love to have any contribution that that's out there still but But we all we do want to kind of keep that stable and and we're working harder on the Drupal 8 Components now, so we'll kind of jump into more of a Drupal 8 specific mode Does anybody interested in Drupal 5? garter That woke everybody up. Okay. You guys are paying attention. That's that's good. We did not have Drupal 5 garter, but So I Could I would be remiss if I didn't mention Drupal 8 gives you Better security out of the box So even without garter and I and I argue garter infuse it even more Drupal 8 is really nice from security standpoint so these are some items that that you just get out of the box you install Drupal 8 and Again, I don't want to misconstrue that that means that you're secure and you can walk away and everything's fine Security is more complicated in that but you get all these things. These are improvements Enhancements from Drupal 7 so I and I don't want to say that Drupal 8 is not secure. Drupal 8 is secure It's a fine system. There's always things you need to do enhance and improve and and sometimes you have controls and requirements That you just have to meet so that's kind of what we're addressing so Drupal 8 garter so so This is really right now for new Install so you're starting a brand new site But there's some work being done now And on actually including garter and settings in existing Drupal 8 installs. I'm real excited about that Well, we'll see it work if it works how well it works But one of the one of the requests that came up a lot in Drupal 7 garter was how can I add garter to an existing Drupal 7 site? So Drupal 8 makes things a lot easier to add To to I believe to add garter later on to an existing Drupal 8 site, and I'm really excited about that and So more to moral come on that But we're building on top of Drupal 8 security enhancements So we've been we've had a development release in it and up until today But I'd like to announce that we have alpha one out now. So So We say yeah so And thanks for everybody's helped on that along the way So that's that is exciting So we're gonna have continued support new feature releases and and and because it's it's based and install is Through composer you can use composer install and update processes as you would following It's pretty much same instructions on other Drupal projects to to handle and work with garter So as far as security features One of the things that is kind of neat is some recommended core configuration settings And this is done in the garter core module through Config factory and so we're we are basically We move and we did this in seven we move we're logging watchdog if watchdog is used We move it to keep in a million entries if you keep a thousand entries as the default for Drupal That that can work, but that that makes it really hard to audit. It's a it's a shallow log can be Obviously it can get even worse if you have a lot of php errors and things like that So it's good to keep systems always check those errors and make sure those logs are clear Because they can they can make it hard to find problems Along the way so some account settings we we force Administrators as the only folks who can register new accounts We we turn off personal contact for contact form for new users and the So for updates update notifications We're checking updates for uninstalled modules and themes. I think that's kind of nice But that is part of your tax service As you remember probably I think last year there was an update There was an update to coder from a right that That it did not have to be enabled and that can happen So those types of situations just because the modules is in your code base and not enabled does not necessarily mean there could be a vulnerability down the road that That could be used And so we're also setting email notifications threshold as a start to only security updates This is something that could be changed all these settings could still be altered afterwards and saved to config if somebody needs to make Changes on top of this that's fine But we look at that like if you are doing daily notifications or something like that on your site And obviously a lot of us handle that if you know these reports differently in different environments But if you're relying on the built-in update process You know You may have some releases that are a few Behind that are just bug releases and and I really would like to see notifications really focus on security In that but that can be changed So some modules that we're using we're using a password policy module And that that allows us to set a standard password requirements for users And Drupal has some nice built-in features to talk about if passwords are stronger or weak and some recommendations But this this makes it where you can comply with security controls in an organization an organization says we've decided This is the password policy, and this is what it should be and So that's that's a good one login security module allows us to handle brute force attacks and and say After three attempts, I believe are set to three attempts right now in seven and So after three attempts then that account is blocked and that's a recommendation because that's a requirement by a lot of the Security controls that we've reviewed it might turn out that that's a bit You know a bit much for your your instance, and you can change that to something else But I think keeping an eye on brute force attacking is good Drupal also has some built-in help with brute force attacking also In addition this just sits on top of that so mass password reset this is an example of a module that we don't enable but There there can be times when a site you need to you need to reset all the passwords on a site at one time and there's been some some recent reasons to do that and there's been reasons in the past to do it so That's what this module does. It's there. It's a recommended garter module for that you enable it I highly recommend this is one of those things you enable in a testing environment. You test it Make sure it works because it is going to reset everybody's password Session management, this is a important item. So we're using automated log out so we garter recommends a 15 minute log out and a lot of a lot of people Will go. Oh, no, that's that's too much. You know, that's I want users to stay logged in, you know for two weeks or a week That's okay. If you're not under security controls a dictate it, but there are there are there are requirements a lot of organizations Absolutely have to have logouts force logouts after that that time. So again, those are settings. It can be changed garter though sets these up for you session limit allows us to Limit the number session so that you can't be logged in to the Drupal site for multiple instances using the same account We don't we really don't want people to share accounts. I think all of us understand that but you know It's convenient. Sometimes users like to share you just use my account and you can log in, you know from home or whatever and This helps this helps eliminate that and some other issues This is this is the security kit module is is a module that provides kind of a number of Items that that help with enhancing a click jacking and Some cross-site scripting vulnerabilities and it also Content security policy it has some controls for that Which is a little more intense on setup We don't we don't engard or dictate that those settings because that's very particular to a website setup But we like to have security kit offered so that that's available As far as system monitoring auditing logging those types of things we're using login history module And that that lets us track every login that happens with IP address date and time that kind of thing And and I would say there's a number of This is a great point of contribution anybody that wants to help the community there in the seven version garter I have a lot of logging modules that do logging of all kinds of things and many of those are not updated Drupal 8 yet, so if you would help want to help us something and some of them are fair This would be great entry points for folks who want to contribute Logging logging important things like when roles change and things like that that that that can be really really useful So love to have help We're including the security review module. It's disabled, but this is a way to run a report and see Is the site configured properly that sort of thing And again, it's disabled because a lot of us have environments where we have other tools to do this type of check Additional features the diff module The diff modules handy for a number of reasons including checking diffs of content things like that and then redirect 403 to user login This was this allows us if if let's say automatic automated log out times you out logs you out But your URL is still set to a log, you know a path that a route that has to be logged in has to be authenticated When you try to access it, it's it's going to redirect to the to the login page letting you log in and it Take you back to that original route and username enumeration prevention this this This module is one to prevent and I'm trying to explain this And it may not prevent all the cases because there's lots of places this can happen but the goal is to work towards preventing places where a User who shouldn't be able to find lists of all the user names on a on a site access to those so there was a famous Hack years ago where someone went into to a system telecommunications company and they basically Enumerated all the users and we're able to Gain access and figure out logins and who was using a system just just for the fact that they had all those user names, so that's So this is one where you really you really don't want people being able to list users and take that data That's that's some information disclosure that we don't want to have So as far as demonstration garter we build garter with composer, so we download it we run composer install If you are including garter in another which you can't include garter in another build right now if you're starting from scratch You just require garter with composer, but But it's pretty simple. We just Run composes and composer install And do that so I had to have a I wasn't gonna run composer in here Live and I imagine folks can figure out why so here's a screenshot. It works and try it So here's an easy way to install garter if you want to if you want to check it out install garter and try it You can clone the project You can change director any garter run composer install and then you can run drush quick Drupal I still call it quick Drupal. I think it may be called something else now, but it's still aliased and this is a great way By the way quick Drupal is a fantastic way to quickly test and run Drupal and try some things out on an instance and you don't have to have a full environment running So kind of a You know to her side here of things So I mentioned, you know, how great quick Drupal was But I've got a Drupal VM set up and I'm gonna install garter with Drupal VM Then I have set up so And this is my setting for that And do not make your username admin do not make your username at your password admin That is for example here and is a poor example at that So I just want to point that out. This does not say doesn't that mean you should do that As a matter of fact, that's an important thing while we let this load here you A lot of times just you shouldn't even include the word admin or administrator in your your main UID 1 account Make it something completely different something arbitrary. That's hard to guess real important. We're just about done here and See if we can load it up not quite yet. There we go So, you notice it looks like it looks like Drupal 8. Yeah, so a couple of things here if we go to reports If we go to Available updates, we'll see some things here and that was not loading. I'm gonna actually Kick off to to our module list anyway. I want to hit this first So if we scroll down through our modules You'll notice that we have some garter. Here's garter core. This is what drives The config for garter That we recommended settings that we talked about but here here are some of the security modules, you know, some are enabled some or not so that's in there you'll see that and Yeah, so here's reports So under reports we have login history. There's an example kind of what login history gives us And also under available updates You'll notice that it's I'm not getting back out. I guess to the Internets so it's not getting the data, but it's it's checking all installed modules and there's the uninstalled and And under settings here we can see that we're only getting security updates and the check for that So there's some examples of the configuration, but it's it's not it's not real exciting is it? But but the the nice thing is you've got your you still have your base You're still gonna build from this world anyway But you know that you have a lot of security settings on top of what's already there to make it even better and So those are some of the some of the components and I want mention The roadmap here so It looks like I'm trying to connect. Let's see if we can hop on another connection here So so as far as roadmap items We are gonna continue to work through The Drupal 7 the Drupal 8 crosswalk plan which is documented on the site on the project page and That's kind of showing us all the projects and seven and what we plan to do for a we're gonna evaluate more Core config and see where we can harden those settings better Really want to add the ability to add a add guard to existing eight installs And really need a lot of documentation help so another way to contribute right there to the project and While we're talking about contribution, how do we contribute? First of all, I really want to thank all the organizations Classic graphics and media current and all the others who have contributed a lot of individuals over the years You guys are amazing and all that and and it's it's awesome to see people You know it feels good to see people pop in folks You don't even know and you meet through the project and that's a lot of fun So I encourage people to contribute to Drupal just because of that It's still such a neat thing to see and I did want to thank the Drupal security team everything they do because that Helps us an awful lot. We learn an awful lot. This is something by the way most Be careful here not name and names, but many many other open source projects do not have anything like this This is a big deal. So People ask why would we use Drupal? This say this especially to enterprise folks that is that is a huge deal So how can you help we've talked about most most of this writing documentation? Supporting garter users. There's people that have questions and need help testing patches and updates developing new features and As far as how to get involved So we've got the issue queue there's our documentation node It still needs to be migrated to the new documentation system. So any help there would be awesome and And we're on Drupal garter on IRC. We've also got us and Drupal slack We've got a slack channel for garter. So, you know, I'm hanging out there, too So feel free to jump in there and and follow us on Twitter Where we post some security related info and and updates And I definitely want to open it up for questions. That's that's what I have so does anybody have any questions this point? Thank you. Did you have a question? Okay. Who's ready to install garter? Benji So if it's mostly a collection of modules and some configuration What's holding up a full release for for Drupal 8 or or is it more than that? Can you repeat that if it's more than just is it more than just a collection of other Contributed modules and some additional configuration. Is it more than that or if it is just that what's holding up a full release for Drupal 8? so good question and and I think the one thing to mention is that That I think the settings are the important aspect of garter That you know and that is exactly what it is You nailed it the settings are the real key piece because we could take we could all just take those List of modules so we get a post that on blog posts and just start including them That's been done lots of these blog posts are out there, but the settings are what's important and What's what's actually holding up any further release at this point is I would like to get a Feature not not Drupal feature. I would like a feature for the project I would like to include to allow you to add this to an existing Drupal 8 install so before we hit Further, you know following kind of release management here. I want to and before we would get to You know betas and release came and I really don't want to be adding some major feature like that And I think that will be the last major piece that we want to have before we release a stable release and that'll get us there But but I think that's real important because it's so many people have asked for that How do I add it to a project and what's more important than that not just add all this stuff to an existing project because here's What's going to happen a new project with garter you What's going to happen in my my opinion? We'll see what happens when people submit into the issue queue But I think what's going to happen is if we just said you can add it now to an existing project And it if it tried to add config and do things as a 16 site It might cause problems and so what we want to do is have a way so that you can go into garter core and just Check off the components you want to actually use So be real specific because maybe password policy is all they need we want to garter password policy We want auto log out some session management, but we don't want Maybe maybe we don't want those core settings change. Maybe we don't want some other things We I want to I want to set it up so that so only certain components can be checked off and added So I'm thinking that I might install something like this on an existing site And then do a config export and do a get diff and review what's changed in my configuration directory But you want something that's a little more user-friendly than that. Is that the idea? Yeah, exactly I want to follow the kind of Drupal's philosophy. We all love command line probably in this room being more Maybe security developers. I don't know who's represented here, but but I still like Drupal's philosophy of allowing some easy UI Config still available and that feels like a core Drupal philosophy over the years Good question Anyone else? Are you working at all with like aqueer or pantheon, you know, because when you install from pantheon They they've added some of their own customization as well to core Yeah, and you were asking about the pantheon Changes that they make to the drops branch for instance and how that works Yeah, this is That's a good that's a good question. I haven't really looked into that at this point and I don't think he bills on the team has but It's definitely something that that would be worth considering. I don't That might be another reason why we would want to be able to add to an existing site in that case I Don't I see that being more of a thing to to look at with the pantheon side and maybe with aquee We wouldn't need to really worry with it any changes. It could use garter as is But you could maybe follow that that this add-on idea With with pantheon you would have to do all the drops release You know changes they make in the core In additions and then and then you could that's why I really kind of want to get this other bit in there Because then you could just apply that selective editions and it should I think it'll work. I mean Yeah, it's not there yet, but a good question. I want to take notes on that. Yes So this is wonderful, so I'm so impressed that my question is like is there any part of the guard core module that we can use like With the existing group of installation right now like just using the module. That's a fantastic question I really wish I put that in a presentation. I will add it for next time, but I'll answer you now because you asked and it's awesome Um, this is something this is that's something that's been asked before and So garter I kind of feel like can be an academic Thing too. So, you know, and I'm I think it's great open source. That's what it's about, right? We'd like to dive into the code look at the code. How's it done? So there's absolutely no problem if you Go go look at garter core for the settings. Go look at garter the distro And you can you can that's what I've had to recommend to Drupal 7 users who want to add Garter things to Drupal 7 sites that exist All I can offer right now is to say You can go and install the modules and then you can look at the config and then manually config those settings you know we looked a long time at using features, but then we knew that they would get overridden and So so we didn't really we never really finished a solution for it, but but again Drupal 8 just for example putting the modules installing modules back in the Web group modules as a fan is great that helps that actually helps this this project a lot where those modules live So good question Anyone else good question? This is this is not in for you know, two fifteen three fifteen in afternoon. Amazing Have you looked at adding any encryption modules? Yeah So on the roadmap we've got we do have some encryption modules Listed as something that's on the crosswalk plan. So we had I think we had some I think there's there may be one in seven I'm not positive But but it's something I would definitely consider I'd love some input though I get really concerned when we talk about anything encryption and signing off and saying this is okay Because I start to worry that then people start to use that and and if I'm and I'm really concerned when I see people who try to write their own cryptography so I'm not that smart at math To do that and lots of smart smart people are at math that do cryptography. So So yeah, so I would I'd love to hear input On folks who do know and say this this module is is a good one to use for inclusion and I know there's been a few of So so that's that would be great I think and it's something that frankly enterprise clients ask for they need to encrypt and you know encryption at rest on databases That's that's a big issue also and that gets into infrastructure and in a another contribution point that would be fantastic is That I'd like to see some documentation for garter that says here are some additional recommendations that can help with infrastructure Recommendations and some maybe guide points and also Where it works out. I really want to put non garter recommendations, but a garter recommendations that can be That the community agrees on Quoting quote agrees on at least you know people don't argue about it too much But if we can get some Some of that going I'd love to see any of the general security things that come out of garter actually get Not in the garter documentation, but actually post it in the main security docs on Drupal because I think there's more visibility People are gonna find that quicker than the other so That's awesome One quick thought just more a comment than a question about if you're looking at How to evaluate encryption modules if you see any sign that the module author implemented the math Don't use the module So you said implemented math you were commenting about it's hard to evaluate the math in encryption and I agree I got you as a non-cryptologist. I Much of that math is outside my skill set Anytime I see sign of the algorithm being in the module. I'm done Because the chances they got it right are so slim Versus if they're using an underlying library Yes, out of PHP itself or some others more reliable source that For me, that's the end of evaluating the module the oh AES is actually in here. We're done We're done except is it implemented is AES implemented correctly Well, that's my point is no If it's in the module, yeah, my assumption is no it is not yeah, and so as soon as I find it Then I'm done. It doesn't mean it is done correctly, but it means it is almost certainly done wrong Yeah Yeah, it's it's over that that's a good point. That's that's really valid So any other questions? These are some great questions. I really appreciate that This gives me great ideas to kick off on next rounds of work and issues And my screen saver finally kicked on so that that may be the answer to that. Well, I appreciate everybody Coming today, and I'll be glad to answer any other questions up here The very nice Useful so the funny about this project is this is not a heavy-duty coding But this is this is a distribution. So it's on it's a little bit of a box Some of the coding has to do more with the configuration So it's not it's not it's had mirrors They're super intense I appreciate it and it or a hit the issue cube One of you self even on documentation verify that Give like on that one slide even work there. They are what I say. They are or that they make sense We make assumptions Forget Thank you so much Okay