 Does anybody have any idea what this talk is about or how important it is? This is this in my opinion is the real important work So Normally I would just give you the boilerplate, but You know what I'll do it anyway So the emergency exits are all around you the normal entrance is where you came in and the normal exit Is directly behind you because everything you want to do is directly behind you There is nothing that way there's a talk that way, but you got to get in line for it and That's hot Yeah, the outside is that way you don't want to go that way So I think I'm Yeah, my time is quickly closing. I'm gonna just go ahead and hand it over to far to Blow your minds Thank you folks. I don't know about any mind-blowing, but hopefully I will freak a few people out I've lost some business. So hopefully I'll get some business back Yeah, better. Yes. Okay, I can hear myself So, okay, I guess all of these are kind of I'm obligated to tell you who I am and what I do I Hack stuff for IO active. I Don't really know how to categorize what I do I just kind of find weird stuff play with it try to find where the relevance is in some piece of what we do for business I'm Not really good at sort of being the professional security guy, but as it says, I know how the pixies flow I tend to be pretty good at Looking at the security interface the physical security interface for embedded systems when it comes to how electricity electrons Noise RF and stuff like that get used And most importantly, I'm not interested in hacking one thing If I'm gonna hack some stuff, I want to hack all the things So this means I don't want to just find a buffer overflow in something I want to find an unpatchable unfixable buffer overflow that no one can do anything about and if I can write my name on it Anyway also as it says I'm a local or an amateur lockpicker. I'm not very good I've tried cracking safes and things like that. I can't really crack safes the old-fashioned like listening with the stethoscope kind of way But I thought this would be a really fun way to kind of put my stamp on lockpicking So without getting sort of too into the weeds We're going to talk about some of the previous high-security lock designs and really how similar they are and Why the attack that I've been working on is kind of a systemic flaw in pretty much every lock designed by Kaba And make system many other designs We're gonna talk about how the locks kind of evolved from sort of point-to-point and sort of look at the security boundary as far as electrons Go I'm gonna have some schematics up here. They're not really schematics. They may look like schematics. They're block diagrams They're really just to kind of talk about where that security boundary is between locks And then of course I'm gonna whine about secure disclosure a bit because everybody's whining at me about it So for these locks that the most important things to know are kind of kind of these bullet points We're trying to make an electronic lock a thing That's exactly like the old lock that replaces the old one exactly the mechanical brass made machine thing But we want to replace it with electrons and pixies because those are more secure. They have secure in them So all the requirements we have here they need to be long-lived. We don't want any batteries in them But now that we're making them electronic. We want tiered permission schemes multiple users time windows all kinds of interesting things like that And because of all of these things these locks are going to be more secure. We're sure of it There's no real reason why we've just made them electronic So this is your basic lock design If you're gonna put something together with an Arduino, this is probably what you'd do You'd probably use an internal e-prom but whatever You have an external e-prom you have some place to store the personality of the lock the actual individual stuff You have a microcontroller that's got to do the interfacing with the real world If I want to be long-lived, I've got to have something power me externally and you kind of see this little dotted line I'll use that in all my schematics to kind of show the privilege boundary of the lock So anything that's on the right-hand side of that dotted line is going to be something that is available to an attacker Everything on the other side is theoretically inside the physically secured safe Okay, so we've added some security to our design We're basically doing the same thing that they did in smart cards where we're trying to use the power line as our communication line So we'll just we'll power ourselves off of that internal IO line Store that in a capacitor put a diode in there so you can't glitch me out and done Let's call it over and that's what cyberlocked it I'm just gonna beat cyberlock over the head really quickly because I think it's interesting because Every single one of their door indoor cylinders were beatable with bullshit crypto When I did the analysis actually let me go back to that real quick you can actually see I love this little quote right here I just kind of threw this in the original advisory you could probably extract the private key through power analysis But I don't really think it's worth the effort This is the actual power trace that's in the report and you can actually see between the a1 and a2 markers There's kind of a little bit of a wiggle at the top of that line and that's actually the microcontroller transferring its internal e-prom contents into the microcontroller as the lock gets powered up externally and That's pretty much our target for For at least this presentation So, you know, we've seen basic pluses and minuses don't need batteries have an auto trail have all those special security things But of course we started with bullshit crypto We started with making it reliant on external power sources and the You know basically a tacker provided power and of course we made sure that they couldn't be firmware updated or anything So once they're in the door cylinders every single door cylinders got to be replaced So this is this is kind of a little bit of a quick tangent I'm not gonna beat on this too much As a result of the cyber lock work. I got one of my I want to say first, but just most recent dmca cut your shit out letters and I just I find it really annoying that working in electronic locks that this is the response that we get now when sort of You know 200 years ago the idea of perfect security and the likelihood that a lock was going to be broken At least was somewhat accepted people were looking to try to figure out where the reality of that lock security is But now what sort of the inherent encroachment of software security in this area? We're starting to see the same sort of strategies from software security soothe them threaten them claim. It's not a problem I'm okay with claim. It's not a problem, but soothe them threaten them Claim that they've they've violated some sort of code of ethics by not going to the government first Which we did You know that kind of stuff is really starting to get annoying. That's my quick tangent on that We'll put a pin in that and get back to that There's another lock design that you start saying that's a pretty common one. This is your your standard home safe This is kind of the thing that you might have in your hotel room in fact These locks have actually been pretty thoroughly beaten anytime you have any sort of external power source You just threw together some really shitty code. You're gonna introduce timing flaws You're gonna introduce some interesting power analysis and I think both these guys did guys did some some really good job If plur is out there. I owe him a beer somewhere if Dave is out there. I'd probably owe him a beer Whatever Australians drink I Know it's terrible But this lock design is pretty obvious right we have the battery on the outside We know that we can measure current flow from the battery if you're gonna steal pixies from the batter Of course, I can measure current flow from you. You've also given me a ground of course I can reference myself to your internal circuit and You know we've kind of learned that these kind of designs are cheap They're they're really easy to crank out there. You don't have to have software experts You just throw it together really quick But it's still reliant on external power and then we've introduced these at least two side channels in this new design I don't believe either of these lock designs. I've really done anything to update that So okay, what what are we doing with these kinds of locks in other places? And this is where I get to my other quick tangent of things that I really enjoy working on atm It turns out that ATMs also use combination safes and Here's another guy. I owe a beer to I really love this video if you want to go look it up online. It's the greatest thing ever He basically spends a full minute talking about how in the old days Attackers would try to go through the safe door to steal the money makes sense go the straight through just to get that money But then goes on to explain how malware seems like a much more reasonable way to steal money these days I kind of figured what why not? Let's look at that lock This thing is everywhere and I did some work for a customer and it turned out Their ATM lab had every single ATM had one of these locks on it didn't know how ubiquitous they were until I started looking So it turns out this lock design is kind of full we have You can't really tell the difference here between a gen one and a gen two But we have basically two different versions of this end con and we have an audit con and we've got all this banking stuff These little little tiny eye button devices that look at it just looks like security. It looks superficial You got to use your eye button everything to get it. It's it's two-part authentication And this is more or less what you're looking at schematic wise. It's it's actually pretty interesting Just to kind of go over really quick and dirty what the interesting bits are We've got a self-generating power. So there's no power now external to the safe They're just bringing power in by generating it with this little knob. It's my terrible drawing there The knob generates power internally when the lock has enough power It'll boot up and happily display things on the LCD and you can input the code and and do things with it But I can't directly measure the current flow here right the batteries on the inside How do I how do I even look at this? It turns out if you take the same approach So here's the the audit con not too different If you take the same approach and look at both of these You know power and ground lines you more or less see a stable voltage But if you AC bias that signal and take a look at the very tiny wiggles at the very top of that signal and Amplify the fuck out of them You end up getting that same side channel back even though you're not drawing power from these insides It's it turns out that having power drawn from the outside of the safe Is enough to kind of make that current flow variation work out Just skipping over those real quick These are kind of the insides of the safe just so you can kind of get an idea of mechanically what they are There's nothing too interesting going on with them. Here's the s2000 will do the proof of concept on The audit con is very similar the generation to you can basically see they're almost clones except for some new features have been added But you're looking at an 8051 microcontroller in the case of the audit con in the s2000 They don't even have the room for crypto in these things The generation 2 is an MSP 430 and we'll we'll talk about that a little bit But digging through the patents for these locks you can kind of see they didn't really have an idea of what security really meant When you're trying to deal with these internal e-proms they basically talk about trying to mix and hide bits You could probably extract all of the information necessary for doing something like the banking modes by looking through the patents But ultimately you're dealing with ending oring Exclusive oring nothing too fancy to generate a combination from the internal authentication data This is basically what you're looking at internal. So in this case, we're talking about the s2000 lock We're getting a little bit into the actual attack that I'm going to show a proof of concept for and this is fairly consistent along a lot of the locks You have the parts of the e-prom that the lock would read as it's trying to read its identity You can see the second hex line the 0x200 address starts with value 2 In the first case. So that's a shelving mode lock and the other one below it is 05. That's a bank mode lock But basically these three authentication fields are all that make it up It doesn't everybody sort of focuses on the fact that I'm working on the simplest version of the lock configuration, but Regardless of the lock configuration It still has to read the same e-prom contents and the same e-prom contents provide everything necessary for generating combination regardless of the mode It might just be that as you can see here an i button is required to identify itself to the lock You would need to figure out what that i button number is which is also stored in the external e-prom And you'd have to emulate it with Arduino library It's pretty straightforward But as far as getting the power out, okay, or is getting the the actual data out This is pretty much what we're looking at. This is the actual side channel or at least one version of the side channel that we're looking at Along with the actual data that it represents When we first looked at the lock I thought I had this thing beep because we're looking at the soft i2c section You just look at the first few bytes of that transfer In this particular side channel because it's i2c soft i2c The edges between the clock and the data line are not perfectly aligned So the timing signature between them is slightly offset and then your data looks as though it's been manchester coded if you see three blips You go transfers from a zero to one if you see another three blips cut transfers from a one to a zero And uh you dig a little bit further and it turns out I can't do that um that only works for the microcontroller talking to the e-prom If the e-prom's talking back those edges are simultaneous But after spending a little bit of time filtering and sort of poking at it It turns out that the ones are sort of preferentially leaked on those high sharp edges All right You can you can sort of see in both of these as the goes from a one to a zero and a zero to one on that clock edge There's these high frequency spikes that sort of happen those high frequency spikes like to leak out there They're very high frequency. They've got lots of harmonics. There's a frequency they can leak out on they will And that's how I wrote the first proof of concept in fact Um, but because I had no faith in that actually working on stage here. Uh, I rewrote the proof of concept Uh, to work against sort of the lower frequency data set of the side channel Uh, so in this case, uh, you can actually line the bits of what the actual this is actually the clock track not the data track Um, but then you have the powered trace aligned perfectly with that clock track. Can anyone tell me which ones are ones? Right, thanks. Can you pick that out by hand? Um, so I think that's basically where I'll get to my proof of concept real quick Uh, just to prove that I can actually do that automatically But I don't think anybody should really focus on the idea that I can do it with an automated script since this is basically what it looks like if you spent the time to align the Traces you can extract that signal by hand So let's let's see if we can pull this off by hand first You're not gonna play So just so you can see, uh, this is my S2000 here I don't really have anything going on except, uh, oscilloscope probe jammed in the data port Uh, the actual I button port If everything goes well, uh, I'm gonna hit, uh, uh, single just to get a single trace Uh, I may have to boot the scope, uh, boot the lock a couple of times, but we'll just get a quick power trace That one kind of looks okay. I'm not sure that one will decode, but let's find out if that one will decode Come on, work with me here Gestures That's, uh, of course this is not going to go quickly Is there LF pock? Download from the scope real quick If not, I will just switch to a pre-captured Yay, oscilloscope downloads Uh, so once this downloads, we'll just, uh, run it through the low frequency pock script It already knows what the alignment, uh, for each of the edges of the square wave should be Uh, and ultimately what the, this is the actual proof of concept code right here Uh, so what this guy is actually doing is Once we've gone in to find where the byte offsets are from the trigger point We synchronize using the high frequency data from the the actual lock itself Sorry Oh, you're not even seeing the The download shoot Let me uh, so this is the actual proof of concept code. I apologize. Didn't know you couldn't see that there I'm bad at this Uh, so these are the actual byte offsets. Um, we're using the high frequency data in the signal to actually create an alignment Uh, so we just filter for everything above 100 megahertz We get some nice sharp spikes use those sharp spikes to create our zero alignment From that zero alignment, we calculate our byte offsets from each byte offset We have a clock edge and ultimately what we're calculating is the difference in power consumption between the positive going clock edge And the negative going clock edge if that rises above a certain threshold then that's that was a one that got transferred Um This looks really dirty. So we'll give that a try You know what? I'm just gonna do that one Let's just do the capture I did earlier so that I don't have to Have a hard attack anymore Unfortunately, it looks like my signal was clipped out of the top a little bit and clipped out of the bottom You might just have to do a recapture. Uh, but this is ultimately what we get when we oh shoot shoot shoot shoot shoot Bringing all these little windows over here These are the little windows that actually decode the data. The output is actually This guy right here can actually see so this is the expected data that we would see internally With this being the lock mode and then these three bytes actually being the shelving mode combination And you can see we have a lock that is in fact in shelving mode With combination 1 1 2 2 3 3 and for whatever reason it's in hex. I don't I don't actually know why We're also going to miss a few bits here. Let's see if I can actually get this. Yeah, we missed a bit there You kind of see there's a little bit of a spike of noise in our waveform Um, but you can pretty much always see when you lose this bit in the waveform. Uh, there's nothing too insane about Sort of manually parsing into the problem is creating a simple rule for how to threshold that bit out It's not exactly easy. Um, so don't concentrate too much on the fact of creating an automated script for this kind of thing Uh, so to maybe get back to the slide deck a little bit The uh, once once the lock is actually booted and you have these three authentication fields All your actual side channel tag has to do is extract what those three fields are and from that point you can calculate For any of the generation one locks what the opening and closing closing codes for those saves should be So as far as i'm concerned, any sencon generation one saves that are actually in deployment are basically dead They're they're not safe the Let's do this a little bit story wise when we reported this vulnerability to kaba Um, there was a few things that happened first. We found out that we reported them to the wrong kaba You'll laugh, but this is going to be a really funny detail Uh, that guy kaba was like no great. You did some great work. We really appreciate it I'll pass this off to the other team that actually works on these locks Um, said we only work we only make government locks Um, we make the x09 series. Uh, so I googled the x09 series and actually found some really interesting stuff Um Uh, the x09 series actually looks like it has a similar design to these sencon locks It's made almost identically same the same design pattern Uh, we told them this uh, maybe your locks might also be affected by this design pattern issue And he said you don't have the authority to test these locks If you are doing any research on an x10 the feds will be after you and whoever sold it to you Okay Uh, we then went off and notified our banking customers Uh, and they said immediately well, what about generation two? Uh, there's a generation two Don't know anything about it. I guess I'm gonna have to go buy some Uh, so at the same time I found out about generation two and I found out about the audit con which is used in pharmaceuticals Uh, weapons storage anything you might want to have sort of an audit trail for the number of people Maybe a multiple people who are allowed to access that Uh, the audit con just falls to this vulnerability. There's a master code The master code is directly read from the eprom so there's no banking mode Or any dicking around with any sort of i-buttons or anything You can just put in the master code once you've extracted that and that guy will open Uh, generation two you can actually see the power trace. I can extract that shit. That's easy. It's loud. It makes lots of noise Um, but when I spent a little bit of time with it It turns out that it actually does seem to try to use encryption internally to prevent you from pulling off this attack So either they knew that this was a possibility or they were just suspicious that it was a possibility Um, and I'm gonna put a pin that oh, you know what let's get to that And now while I can't totally tell you about what happened with the gen two while I was getting my shit together for this presentation Uh, I decided to go and look back through the gen two and rather than saying that Yeah, it might still be vulnerable to other side channel attacks power analysis or something like that But at that point if I've got to do multiple traces and I got to average traces and stuff This is probably sufficiently secure for what it is Um, but I'm putting it together. I decided to see what would happen if I switched You know what? I'm not going to say that. I decided to see what would happen if I did a little bit more poking at the locks Um, and in poking at the locks I discovered, um That the side channel does open them up to uh, uh, Undocumented flaws And if you can trigger some of these undocumented flaws like the one that I have on the screen You look as much as you want in the sencom documentation for the generation two. You won't find that Um, the locks will happily reset themselves to factory condition Uh, which means they have a combination of 50, 25, 50 and that's just pretty much that Uh, so while the gen two So while the gen two does defend itself again against the sort of base side channel attack um That the the uh, the generation one went down to the generation two may in fact be more vulnerable in sort of differing Ways it's it's kind of fascinating. Um, but you are probably for the moment somewhat safer with it I don't know what to tell you it So we're done. Let's let's disclose this shit. Let's get to DEF CON. You guys would be happy with an ATM opening vulnerability, right? Like that'd be good enough Um, but we kind of left this hanging thread of the DOD locks Uh, so I got myself I got myself, uh, an X07 first because they're the oldest and cheapest and You know, it's a it's a hard bit of a lock. Um, We'll just we covered this. It's a hard bit of a lock. Um, and this is going to be a fun video in a second Uh It actually denies me a lot of the electrical grounding and electrical signaling that the other locks sort of present because they have the keypads And things on the outside somebody has really sort of threat modeled The xo series of locks and not only designed to be physically secure But also try to make them somewhat electronically secure and you can actually we'll look at some images But they've kind of switched back and forth over the years on different design aspects of them Where the generator sits on the inside or the outside of the lock External where the attacker can get it or inside where it's completely rf shielded. Um But before I talk about the xo series a lot of you guys don't know what the xo series is And because I am constantly shitting on people who fud I'm not gonna fud I'm just gonna play this video which hopefully you guys can hear the audio from All right Kaba Moss is proud to announce the newly designed x10 the secure tradition continues With nearly one million locks sold the kaba moss xo series is the choice for securing the us government's most sensitive materials In the pentagon alone. There are several thousand xo series locks installed The department of defense central intelligence agency national security agency and air force one all rely upon the kaba moss xo series To guard its most sensitive information By the way, this includes the launch codes for the nuclear missiles on us submarines So the government was not pleased Uh, this is probably one of the most passive aggressive I really hope you could read the text to this a little bit. What are the most passive aggressive sort of semi threatening please stop your research Letters that I've gotten Under under authority of the president You do not have the authority to test these locks Oh, by the way, if you find anything you should you should is unacceptable for you to just tell the vendor you have to tell us Uh, and then I love the cc list. The only thing that ruins this letter for me is it says dear mr. Cerudo Okay, so so architecturally this is what we're looking at with the uh, oh, yeah, this is the xo seven, right? So, uh, we only have the knob that breaches through the actual safe body and all we have is the lcd connector on the outside Uh, this lcd connector, you know, it's uh, if you've ever driven, uh An actual lcd these signals are not anything that you consider friendly. There's no power. There's no ground. It's just sort of an ac signal Um, they don't bring any ground outside the safe that I can even measure these signals really against Um, also the locks are completely potted Because they don't want you getting inside by the way you can remove this potting. We'll look at that a little bit also But the uh further xo has kind of shifted the security boundary a little bit They decided let's put the generator on the outside of the lock Still I don't have ground that seemed to be a some like some consideration that they had not providing me that ground outside of the lock So I I really just had the ac signal from the generator knob and the ac signal from the actual lcd signal itself This is by the way too depotted the xo eight the xo nine depotted and sort of wired up for testing Um And yes, uh, both of these are also 8051 microcontrollers. So no room for crypto just nothing they can do in here Also the internal eprom we've confirmed are just clear text. Uh, so just to keep that in mind for similarity of attacks I hear a few people recognizing things. Um, so So if you actually look at these waveforms, you can kind of see why it's so hard to really uh Like these are directly from the datasheet for the actual lcd driver chip that's inside these locks. Um I'm gonna go back there. Uh, you can kind of see at any particular time any lcd segment may have Full vcc negative vcc half vcc half negative vcc your ground anywhere in there and I'm trying to read this Millivolt side channel out of there. Um, and more or less after I had the xo seven I kind of dropped it. I just left it alone for a while and you have one of those shower thoughts moments that uh medis face Perfectly represents here Uh, how to recover the side channel from that lock and you just separate the the ones from the zeros and to separate the positive signals from the negative signals and we have a thing for that. It's a bridge rectifier But normally we only use you know two Two poles of a bridge rectifier in your normal ac circuit. Turns out you can just make a bridge rectifier with 20 of them So teeing off the lcd itself and correct here You can actually just set up a whole bunch of shot key diets T the lcd out so the lcd will still continue functioning as normal But now I have a ground to reference the signal the vcc signal from the lcd itself against and now I can read that internal vcc signal um So let's see what we can find So this top trace is the actual full vcc signal That you get off of the dial when twisting it keep a knob. I've got to keep in mind I've got to keep the knob together and everything because you have to rotate that knob to power the lock So the beginning spikes you see here if you can see my mouse Um This is the actual knob rotation time right here. And that's why you have these high voltage High-ish voltage spikes And then suddenly right here is when the lock begins to get powered And you could see it sort of slowly drawing from that internal voltage pool that it's got And if we sort of zoom right in on this little spot right here and take this little savey logic trace right here All right, that's ruin of my surprise there. We can actually see that We see these little high-frequency spikes of bullshit garbage that perfectly line up with the actual data transfers internally to the lock Um, and again, we know that the locks internal uprom contents are not encrypted If we bandpass that signal a little bit more and try to look a little bit closer We can actually see the signal that we actually get is an inverted version of the actual data itself Just no more signal processing necessary So I don't think you need to write and it might even be hard to write a perfect exploit for this to just sort of threshold these values out But you can sort of see these two waveforms are inverted versions of each other And that effectively allows me to extract the internal combination of the x o seven or the x o eight and the x o nine One of the things preventing you from doing this easily and stealing the nuclear codes Is that the x o the x o eight the x o nine and the x 10 have some physical security aspects that make this somewhat difficult You would have to remove if you kind of see in this image here I have to remove the front dial to actually get to the lock internals to do that to do that you would have to defeat Have to defeat this snappering And that snappering is intended not to come out once it is firmly in place But it turns out it's only that entire dial is really only kept on by a set screw So if you drill through the front of the actual dial and put a screw in through there to thread that little hole You can push the screw and impact the entire knob off of the The dial that goes through that's not a non-destructive attack. You've just drilled a knob to do this But it's you know, it's definitely a problem in the lock design If you happen to bring a replacement knob it would you know not leave any evidence But i'm but i'm not going to claim that it's a non-destructive attack Um Yeah, so in slides that i had to add since uh bullshit reuters articles came out We called caba back and of course we told them that hey, so that lock you told me not to play with I uh i played with it totally vulnerable Uh and he was very snippy. He didn't actually tell me to go fuck myself, but between the He told me that uh since the government is the only uh person Or the only agency that receives the locks They will be the ones to respond He's also the guy this morning that uh questioned why I would present it to a group of Hackers or hobbyists or whatever rather than going to the government I did you dick 10 months ago because of you It's also worth pointing out that he actually alerted the government that we were doing it He tried to call the government on us. So we kind of went down this road because he was a dick Uh, so yeah, we called the government back They actually turned out to be a bunch of nice guys, but this was all happening during the government shutdown um They seemed to think this was important enough to fly out to our offices Um Which was one of the most awkward meetings that I have ever been in my life You don't know awkward until you've been in a meeting with a guy who will who cannot spell the government without capitalizing the g Not joking and with a hacker who's trying to put a challenge accepted meme in his slide deck for them. So But they turned out to be nice guys And ultimately, uh, they went on to develop a mitigation for the xo series of locks They asked if I could sign a non-disclosure agreement pretty much everybody has asked me to sign a non-disclosure agreement for this But I'm fucking done with locks. So I wanted to def come This is this is how I can cathartically get rid of this entire line of research until someone shows me another bullshit lock Can call out some names there. Anyway, um so So we we also decided that um Since it would potentially be a crime for me to purchase the x10 lock And they seem to warn me against buying it even though they agreed that I should probably look at it Um, we kind of went our separate ways with them sort of saying, you know We'll go talk to some folks and we'll see whether or not it's worth you looking at the x10 Um, but don't buy one I decided to go look at the x10. The only thing that I can tell the x10 does Is add a backlight display Uh when we were contacted again by the gsa This is the only quote that I have to tell me how the x10 security is All right, so so I guess I actually got through 47 slides in 40 minutes Um, there may in fact be time for anybody asking any questions if you could you know if you want to try No, all right somebody has a question. Sorry, uh, yeah, that is government talk for you'd be fucked. Um, I think that I think that what it means is uh, ultimately we've designed, uh, we've tried to get people to understand this as a um design pattern flaw And uh, I think they acknowledged that and they went back and they were able to Identify this pattern on their own and hopefully other lock manufacturers will as well Uh, they just don't have as much money in them Anybody else? Is there anybody I'm up? Fuck you. Is there anybody else? All right, I am out of here. I'm gonna go get a drink. I will be accepting joints