 So anyway, we're going to talk about something that's totally out of video game related. Also I have a slamming head cold. Of all the years I've been going to cons, the only two times I've ever gotten sick were once previous at DEF CON, I went to like a Vietnamese place and apparently it tried to kill me. And I spent the entire weekend at the Alexis Park on the bed, which is not so what you will about the rib, but being in the AP in bed all weekend really sucked. And now I have a head cold. So this is Logan. He will be assisting. Howdy. Howdy. As needed. And maybe we'll be dragging other people on stage here too. This may turn into a giant dance of random people. First of all, that really is the title of the talk, not a statement about what we needed to do to the title. So people asked because it looks like they screwed up your title and they didn't have the final one in there. I'm like, no, really, that's the fucking title. Apparently it's the worst title ever. And I assume nobody was actually going to be here for this talk. So I think you're all in the wrong room. You're probably looking for the Android talk. I think it's in track one. Oh, that's Goon's in the hallway talking. Do they leave the doors open the entire time now? Yep. Wow, that's awesome. How lucky for you in the back. If you want to have a separate conversation in the back of the room, you are welcome to do it because we won't hear you up here. Also just to be clear, Logan, when he joined the Shmugroup did not choose his handle. He refused to come up with a name for himself, so we chose one for him. Just to be clear, it's pronounced Lolo, but it's actually L0L0 because it's really difficult to tell on screen, so if you want to send an email, that's how you get ahold of him. That's why it's always a good idea to pick a handle. Yeah, you always, always, always want to pick your own handle. When they give an option, what do you want the username to be? You pick the fucking username, okay? You don't let them decide because it will be like, you know, the worst thing imaginable. That's actually not that bad. It doesn't involve the expletives or any discussion of the sexual prowess. Today is the trade deadline and what, 50 minutes for an hour for NLB for like the eight Major League Baseball fans that attend DEF CON, not a large overlap. They're all in here actually, it turns out, all eight baseball fans. If someone could tell me if Adam Dunn gets traded, I am the one Nationals fan in the country, so if you go to the Nationals website, it's actually personalized, hey Bruce, welcome back. We really appreciate it if you bought a couple thousand more season tickets. Anyway. Hasn't yet. Thank you. If we get like a ticker going, if you want to hack this VGA monitor and put a ticker on the bottom, like has Adam Dunn been traded, does this talk suck? First things first, what's the only thing you should believe? Nothing. Well, source code. Who said source code? Yeah, bingo. That's exactly what I was going for. Holy shit. Like congratulations, sir. You get a gold star. Come on now. Thank you. It's really easy to get people to yell at DEF CON. So the first thing you shouldn't believe is the speakers. And usually that's my opening slide, and I'm just still going to say it verbally. Years and years and years ago, I remember coming to DEF CON and I was really excited about the partying, and the partying was pretty good, but some of the talks kind of sucked. And even when I went to other conferences that were more expensive and a couple of days before DEF CON, and I would go to those conferences and people would get up on stage and they would say shit like one and one is three and like reporters would then report on the fact that one and one is now three because some random asshole on stage said it and you're like oh, that's amazingly stupid. So I encourage you when you come to DEF CON, you know, this is an industry filled with cynical people and we get paid to be cynical and we get paid not to believe what people are telling us and what computers tell us. So when you walk into here and you stand in line, don't check your brain at the door, you know, continue to think. This project that we're going to show today is results of many late nights in the last two weeks in proper DEF CON form, but it's really just kind of our view of the world. And if you disagree, feel free to stand up. We'll even arm you with microphones if you want to be that guy and hijack it, we can go that. We can play that game because we're pretty good at doing that too. So we can hijacker our own talk back. Anyway, so what do we do here? What we really felt like doing with this project was trying to dig through source code and not look at the code at all. And what we really wanted to look at was the metadata associated with the code. And primarily, comments associated with the code and the commit statements. How many people in here are software developers? Yeah, how many people in here are software developers that don't suck? You all lie. We've all enraged at the end of a long night of coding, checked in something like this is the biggest ass-hattery ever. Fuck you and fuck your mother. Fuck this, I'm done. Fuck, fuck, fuck, fuck. Shift ZZ out. We've all done it. I've been curious about this for a long time of what do other people write? Because I know that's what I write. I write stuff and commit statements just to see if anyone reads them. I put things in things. It was actually in one of the Shrew Group internal lists years ago I was doing a project and I put something way down in some documentation. I'm like if anyone ever reads this, post to the list, purple monkey robot chicken. And like two years later, someone just like posted one line and it was like, purple monkey robot chicken, I'm like, holy crap, you read it. How many people have done that? Like randomly, no one ever reads this. I don't know why the hell I even try. Yeah, right. So what we wanted to do was go through it, look for first of all just amusement factor. We're going to build a ginormous database and spend hundreds of hours doing this just for amusement but also because we think there's actually security specific information where people say things like hey, we need to go back and fix this later because it's a big vulnerability dot, dot, dot. Did that ever get checked again? Did that ever get modified? I don't know, let's go find out. And so the purpose of this project was really to provide an analytical tool to allow us to do that kind of analysis to find where people have said things in the metadata associated with code we plan on going back and doing this or this is a problem and using that to do stack analysis because it turns out that real stack analysis is hard and we didn't want to do anything difficult. But as we'll talk about later, row gears is almost as difficult to stack analysis of source code but apparently no one's actually trying to use row gears in here. There are a bunch of stack analysis tools out there that look at source code, that do a good job, there's a bunch of different philosophies on how to look at source code and it totally wasn't our point. We weren't trying to go actually look at the code itself. We figured we're just going to let the developers tell us what's wrong and honestly there are a number of instances where they just outright say hey, thank you. Sweet. I can use grep. Also there's some pretty seriously funny shit. The first thing we're going to do is have a primer on code repositories but then I realized when I wrote the word primer on a slide everyone would say what the fuck's a primer? Because I always say primer. The primer is the shit that you put on the walls before you paint. A primer, if you want to be like all OED about this, is actually this description of elementary issues for a given topic kind of concept. This is, hey, you know anything about this? Let me give you a primer. Let me give you the little bits of information you need to understand it. Probably the best example of that is Jody Foster in Contact, which I happen to have right here. I'll see if I can do this. How long will it take to decode it? It could take forever. The best decryption people we have. She is the world's most famous linguist, so I recommend we follow her lead. Anyway, so honestly that's just one of those if you can't tell I have little rants I get into for those who've maybe seen me talk and the primer thing was one that kind of bugged me for a long time and plus Jody Foster, like I said, Taxi Driver. Taxi Driver fans. What a great fucking movie that was for a wide variety of reasons. Positories. I'm going to turn it over to you in just a second. Mostly because I'm going to curl up underneath the table and take a nap. There are three major repository suites as far as we're concerned. CVS, Subversion and Git. They're all pretty different. What's interesting is Git is really easy to use. Like it's one of those I equated to the church of Python. When you use Python, you read the Python documentation and the Python.org web page and that's all you ever need to know. That's it. There's nothing else on the page. At least that's the way it's portrayed by people that write Python. I didn't believe it for years. The first time I wrote something in Python I kind of squandered over the toilet and popped out some Python. I was like, oh, hey, it works. Cool. There's database integration in there. And Git was kind of the same way. I'm a really bad developer. The actual pinnacle of my development patheticness was we were writing some code for one of the Shmoo projects we were doing years ago and I sent it to another Shmoo and I kept having these weird error conditions where sometimes it just doesn't work. It just kind of cores and flakes out. I really don't know what's going on and the guy writes me back and says, you know, you declared a function inside a conditional. Sometimes the function just didn't exist so I dropped out of college when I was a CS major. Took data structures and algorithms three times. My sheet did not fail at all three times. So Subversion and CVS is about like rocket science to me so I was really happy that we could use something like Git because you can just Git clone and you get the entire frigging repository since the dawn of time and then Git log and Git all the logs associated with all the commit statements. Really easy. So we focused on those. Some RCS people still left in the room. Big great Beards on them. They got stuff in them. You're welcome to debate the finer points of code repositories but we focused on the ones that we were comfortable with and really just to be clear because I really wanted to do some PowerPoint graphics. You have Python and Git and they are the awesome. What are those on top? Crowns, thank you. I worked on that on the airplane. People were looking at me. I was walking by like I guys make it porn I think. Like 8-bit porn. The next slide they start going at it but I won't show you that. I'm going to turn it over to Logan now. You want to chat? I can sit down. Take the mic. You don't want to hold the mic? No. Hands in your pockets. I'm going to be a complete jerk to him so if you want to help out just say stuff. That slide is mostly true. Actually, we only crawled GitHub. Yeah. Pretty much it. Primarily the languages we saw were Python, Ruby and C and C++. So just to be clear when you submit a talk to most conferences this slide is in advance for some reason. I think it's more to hold people accountable that they've actually done some work. They claim it's to burn it to the CD but has anyone looked at the Defconn CD yet? Really? Is your box owned? Not that you know of. But we had to make these forward-looking statements a month ago about what we had done it was really more what we thought we would do and so we put in things like it was fine and as Logan pointed out we focused on GitHub because we were lazy. The name of the app that we put together is called Code Gleam. First had some jokes. I didn't actually. The first thing he had was Source Grape which sounded like a disease that you needed Penicillin for and Code Gleam was a moderate step up. I give it two stars. You can dance to it but the beat's a little off. It's still a prototype of the version mostly used in-house by us to do analysis. There are five parts of it. Like Bruce said, Python is great so we use Python. The first part is the crawler. That is basically just our piece that goes out and we'll crawl GitHub right now and look for repos that we tell it to look for and pull that down. It does support subversion so we didn't actually crawl any of those yet. Once the crawler pushes off a task to the file store, it stores the repository on disk. This is semi-complicated because as it turns out, OSes don't like large directory structures that are flat. It makes functions like stat really, really, really slow. What we did to counteract that is based on some input and as I found out later, this is how Git stores it. We hash each file in the repository and then store a directory structure based on that hash and store the actual file at the bottom of that hash and create a symboling point. It creates a nice tree structure that the OS can handle with large amounts of files. Then the parser comes in. The parser, basically, its entire function is to parse the code for comments and commit statements. The whole goal of this, right? To do this, we created essentially a base parser that uses a library called PyVCS. PyVCS is a nice little Python module that will extract interfaces to certain Subversion repositories like Git, Subversion, Mercurial, and Bizarre. There's other ones. I've never heard of the other two. You made those up. Anyone use Bizarre? Anyone use Mercurial? Anyone know Mercurial? The guy on Twitter? Sorry. Jokes are really slow today, guys. I mean, I got snot running out of my nose. It's not pretty up here. No one even laughed at that. See, that's how bad it is. That's just gross, really. Thank you. Hey, someone imported one. Where was that from, sir? Not you yourself. I don't know who you are. Anyone else for anything to throw? Anyone know why he threw that? All right. If you don't know where Schmubal is or aren't familiar with who's giving out the bullshit flags, by the way. Have people seen those? Yeah, where are those coming from? Can you understand that? What they say? The feds. The feds are supplying the bullshit flags? That seems a little strange. So that's how feds are being tagged this year? With little bullshit flags. You need to explain this! Ask it a question! This is not helpful! They have a surplus of... So who's giving them the bullshit flags? I'm trying to find out the source of the bullshit flag and not the source of the bullshit itself. They. You just keep using pro-dots. I don't even care. The feds were calling bullshit to put the bullshit on themselves. Oh my god, all right, we're done. Go ahead. Mystery solved. So after the parse is done, it basically shows all that data in a pretty standard MySQL database, right? These are essentially the tables that we use for this. It's fairly normalized. It's a really technical term. Unlike, say, third normal order, which is really loose. You don't really understand it for the database wings. I didn't want to say it was actually in third normal form because you would have tried to call me out on that. Yeah, I would have tried to call you out. I made you prove it with diagrams, which would have gotten ugly. And from there, we built the Turbogear's trend in on it. This was the source of many long nights of coding. Turbogear's supposed to be easy, but when you start adding AJAX and you try to do things with jQuery, it's like trying to solve a mystery as to how that thing works. But in the end, it came out really well and pretty happy with it. Well, he is now. When he wasn't sleeping, he wasn't happy. He was a little grumpy for a few days because it's like going to bed at 4.30 in the morning and getting up at 7.00 to go to work. Yeah, there was one phone call in particular. Probably shouldn't have had. And from here on out, as we develop this more, we want to add just essentially code to just tie this all together very well. And more repose, of course. All right. So the end result of all that is a website that you can't get to right now. Woo-hoo! That is proper DEFCON form. Just in case you're wondering if you're going to submit a talk to DEFCON, the proper form is, well, we did the work. Here's most results, but we still have to finish it up. So it's not ready yet. You can't download it. Or you just get up really drunk and rant and have some woman in bikini next to you and no one pays attention, apparently. So anyway, so Parcel Flat Fliers commits blah, blah, blah, blah, blah, blah, blah. So we went for dirty words, first of all, because we're like little kids and you want to see how often people say fuck. Fuck, fuck, fuck, fuck, fuck. Well, first, before we get down to that, actually, moving on to more statistical grammatical analysis where we use things that have spaces in it. RegEx. So we actually do have some RegEx stuff implemented and you'll be able to use once we get it online. Mostly, that's what we're worried about right now because we don't want you all ponying our server. So we started asking people, oh, and our RegEx so we're going to go throw it into mySQL database and hope for the best. We already had some instances where people in the commit statements and I'll challenge you, I'll just put this challenge out there. The commit statements then, when they get returned to the screen, will get not really escaped properly and so there was actually like markup language inside the commit statement so I was reading one and there was a text input box right in the middle of the screen. Like, huh, that doesn't bode well. Just to be clear, once we do lightness critter up, I would challenge you, if you know what things we're tracking, try to get yourself onto that task, onto that project then put in a malicious commit statement just to see if we get owned. This is a whole new attack vector, owning assholes by commit statements. We were going to do a demo but the inner tube sucks so instead we're just going to show you it is a webpage. There's a browser, it's called Safari and we took a picture and it's not photoshopped. I swear to God. Look at this, does anyone can anyone tell me the seven dirty words? Everyone's just mumbling, it's like Tourette's now. Fuck, fuck, fuck. Motherfucker and fuck were separate words in George Carlin's seven dirty words which as a purist you think that's just a derivative, right? Like, you derive the first order of motherfucker and you get fuck and you derive it again and it's null. Calculus humor for someone that is like, is an integral, you jackass, you did it backwards. Anyway, so we took the seven dirty words and we made a histogram out of it in numbers, not Excel. Steve Jobs Forever. It turns out that out of 540, 36 freaking repositories that we grabbed including things like TCD dump and Apache people only said fuck in the comments 15 times. Right, people? Open source project, please swear more because it's got really boring. We ran the results and were like, ah, crap. We're going to have to put some in just to make it exciting. And the lower order ones, the ones at the bottom, like tits, motherfucker, those never even made the list and there's a lot of comments, not once. And I might think honestly, if you're swearing and you're angry, typing motherfucker's a lot at work because you're going to type over two or three times and eventually you're like screw it. Fuck, there, we're done. We're here. Open source action pussy is exactly. So here now we look for, we created our own slightly more generic dirty words. We'll only say hell a bit more, but this is still a fantastically small number of swear words. People giggling at the last one for the ones that get that. No one committed that either. So as long as you're going after trying to pwn us through commit statements and comments, you might as well go and drop some Ligitbombs in there too. I said it. And commits me a little more aggressive. We said fuck a little bit more. Still not like at least in every project, but four or five times more shit came out a lot more. And then the other ones, hell. What the hell is this? Hell, hell, hell, hell. It's like a part of Simpson's episode. Hell, hell, hell, hell, hell, hell. You all seen that clip when how the hell can I say talk about hell without saying hell? Yeah, it's like Simpson's season two. We got to be kind of old and gray hair and shit and stuff. Anyway, still not that interesting. So we started to look at code quality comments. How often did people say this code sucks or this is quite a hack? Well, on average, at least once per every project someone said hack. Some of them had it a lot. It was like, ha, ha, ha, ha, ha. And stupid and blah and work and suck. These are areas that we started to focus on. When people actually said this is a hack, hey, guess what? We're going to go look at that. Hack wasn't used as much as stupid. Which I think is a little more aggressive terminology. People started to call things stupid and commit statements. And we went back and we read a lot of the results here. And what we found is developers are more likely to make emotional comments than the commit statements. Presumably because they assume commit statements don't get up, put in your .tar.gz and shipped. The commit statements just kind of stay in a database somewhere and you presume that's why we took our flashlight out and tried to, it helps if you make the noise. I'm a big fan of making noise because then later on it ends up on YouTube hey, look what this jackass did on stage. Thank you, hey. Does anyone wear that shirt right now because I'll punch you in the face? Trying to be polite about it. Stepcon, stand in line before we punch people in the faces. So there was some randomly funny stuff. All cats always is a win. So, you know, fuck you for supporting that stupid behavior. You got two of our dirty words in one sentence. I thought that was nice. Killed two birds with one stone. Somebody blaming the cold meds. The CGI IRC which should scare you in its own right as a program. It's an IRC that's written in CGI. Ponying boxes through IRC to messages, right? Go find a bug in this thing and then just type the right command in the IRC channel and watch the guy's box until the web server gets pwned. Like, that's a fun attack vector. But he had things like nasty hack to make the angry smiley work. Then there was another hack to make another type of smiley work. Like, this guy had a problem making smiley's work in an IRC program. I thought you just displayed colon, prophecy. Is it any more complicated than that? Also, one person was kind enough to point out that moose were better than ponies. Okay, good, because if it was a boo, there was going to be a problem. We are big moose fans, as it turns out. Not so much the ponies, ponies are nice. Moose, they're for real people. Anyway, do you guys know why you get outlook messages from outlook users that have J's in them for smileys? Have any people noticed that behavior? It's because freaking Outlook converts the smiley to the Wingding smiley, which is the letter J to the Wingding's alphabet. When it gets sent out and you don't have the Wingding's loaded, the Wingding's like the inner tubes, then you get a J because that apparently is that character that they used. It's really annoying. Unicode, bane of my existence. Again, the guy that flagged Outlook and resides. Holy shit. All right, so people are angrily doing drunken things. He's like, I'm out. This is bullshit. I broke the microphone. So we found our first result in the first five minutes, which was lucky, because again, when you unload Pandora's box on this, when you say we're going to do all this stuff and do this, have this ready for DEF CON, and it's three days before DEF CON, we're like, huh, we don't have a completed code yet, but I guess I'm going to start digging through the database and see if we could find anything. I was a little worried that we wouldn't find anything. So we did. The guy that sat here was looking for the word lame, and we found this phrase that said, this is kind of lame, but only explainable by people who could log in. How serious could that be? What was interesting about this bug is not only did we find it in one project, we found it in six different projects. And what happened was there's a bunch of Ruby developers working on these social networking projects trying to make the next Facebook, Twitter, you know, chat roulette is my asshole kind of thing. And someone was running a chat roulette in a room today at 10 a.m. Was anyone there? I saw references to it online. Was there anything disturbing? Yeah, that just seems like a lawsuit. Like, are you showing porn to a room of people like that? You just don't know what you're going to get. Oh, I didn't know gerbils would do that. Not appropriate ever, let alone at 10 o'clock in the morning on a Saturday. They're all working on these social networking projects and what they did is they just shared the code and it wasn't like they created the common library. Like, I mean, I flunked out of CS again but I can see the value in libraries because you can update them and they get updated independently of the freaking software. No, they just cut and pasted it. That looks good, including the comment that says kind of exploitable. And so what we found was this and even more verbose. So the only exploitable people so presumably not too big of a security hole. It allowed you, as long as you had an account and you were using HTTP off to get in, you could look at anything that anyone had protected anywhere in their social networking sites that they built with Ruby on Rails. Which, again, I mean, come on, we've seen Facebook do it so everybody, the cool kids have to do it when they start the new projects and like, I can appreciate that but it's ridiculous, absolutely ridiculous. What we found and this is part of the tool is we track what versions of the pieces of software that contain the comments and contain the commit statements or at least eventually the commit statements. Commit statements are a little bit harder to tie to specific versions at the moment but the comments and so we can go through and say, hey, where does this comment still exist? And a number of the projects out of the six that we found, a couple of them had nuked the file all together but there are still a few projects out there that today have this junk of code in their live production systems. Come on, guys. You don't get to see O-Day. This is really lame O-Day. It's not Charlie Miller O-Day but it's O-Day. Come on. Yeah, what's O-Day themselves? That's the finer point, right? Like, is it O-Day if you said it? Like, hey, look, it's a security vulnerability. Like, all we did was grep. But yeah, we're calling it O-Day. We're bad like that. What else did we find? So we found, so this is a question because they fixed it. But again, presumably, not everyone deploys the latest version and part of the purpose here is to be able to determine specific versions of software that maybe you don't have easy access to right now but we want to go find other issues with, you know, I'm at some client site and they're running an old version of Puppet. In this case, they had just migrated to REST from XML RPC. So REST is a same kind of, it's like an RPC thing but a lot fuzzier. It's not as heavily restrained and they realize that you can just send unauthenticated REST requests and they would be obeyed. So I don't say anything wrong with this, this admin framework that will accept unauthenticated RPC commands. You know, have control of your entire enterprise? I don't know. It seems like an okay bug to me. Anyway, so again, this was patched a while ago but we were able to dig it up pretty quickly. This next one is very special to me. I'll read it because I realize you probably can't read this but basically this guy is talking about using a site key which is an extra bit of information that gets hashed into this database password in order to make it so that if the person who's snagging the broken in your box snags your config information also needs to go snag the database so that they can run an offline dictionary attack as opposed to just connect your database. So it's basically, there's a secret storage somewhere else in the file system and they wouldn't have grabbed it unless you access your, quote, stupid user's passwords. And you know, this guy, it's a hell of a comment. That's a big commit statement. The guy's got lots of URLs in there. He's pointing to like the visual guide to cryptography to explain hashing. I mean, this is one of the most verbose and explained commit statements ever including, needless to say, if you upload this to GitHub or the YouTubes or otherwise place it in public view, you're kind of defeat the whole point. Just to be clear, we downloaded this from the YouTubes. So it did kind of defeat the whole point. Anyway, there were also some dead ends that we encountered when we were doing this. We're looking for the word security. Again, this is just basically an Uber rep at the moment. And it said the phrase add insecurity. And I'm like, excellent. I wonder how complicated a commit that was. Like my eyes got really big and admittedly this was yesterday. We were, so we're doing the actual analysis for this yesterday in our room. And it turns out that Logan doesn't have a laptop. Because, yeah, my fault I haven't bought one yet. Logan works for me. And I haven't bought a laptop. And she kindly reminded me when I said, hey, take your laptop out so it can work. He's like, screw you, buddy, you couldn't buy me one. God, I'm a dick. So I give him my laptop and I rip out, here's the douchebag thing I'm about to say. I rip out my iPad. One of two iPads. One of two iPads in the room, yeah. Real. You just hate me now. It's cool. I'm down with that. Anyway, I take out my iPad and they have no connection on the laptops. Working okay. But the 3G service on the iPad is literally like about five minutes after the hour. It's working okay. It's working okay. Working okay. About quarter to the hour. Can't get any data through. Start sucking, sucking, sucking. Five minutes after the hour. Works good again. Quarter to the hour. Suck, suck, suck, suck. It's working on the 3G service at all. I realize, oh, talks are letting out. And everyone's walking around assuming the DEF CON pose, which is, oh, ran into some dude, okay. And it kills the AT&T network here. So we were digging through and so I would execute a querying and I'd wait like five minutes for it to come back. Not because my server sucks, but because AT&T network sucks. So I see this and I have to wait for like five more minutes to uncover how cool this is going to be. So I just got a code from a project that he just started that no one uses. It's like, shit. He even said, now you have to log in. Yay. I was really not happy because we really needed something to say. Anyway, so honestly, we are really at the point where we now have a functional tool. We will have the website up here in a little bit. We have GitHub announced the day that reached one million repositories in GitHub, which is a pretty I don't know how big Sourceforge is, but between the two of them, they represent a mammoth amount of open source software and our goal is to find a way around their terms and conditions and get them all. It turns out when you download a lot of them all at once, they cut your ass off. Four and a half gigs was the cutoff point. Four and a half gigs, 476 projects was our first cutoff, I think. It was a temporary man on the IP and we moved it back later slowly and got a couple more. Yeah, just slow and steady. Like a 70s porno, you know, you just kind of got to work your way into it. It's okay, GitHub. This won't hurt very much at the end. Like a carrot instead of a cucumber. Whoa! Holy, wow, vegetable reference. Thank God you were close enough for the mic to that to be recorded. So we changed the schema a number of times. Honestly, importing the data isn't that hard right now. It takes a little time. But what we want to do in the long term is tie this directly to the repository so we can get changes as they happen. I cannot help but think that's a pun every time I say it. We want to get more data in there. We want to get more aggressive analytical capability. And honestly, we want to be able to quickly drill down and facilitate the analysis because right now when we find something, I still have to go to the Git repository and look at the code manually and see what's going on and then talk about it when I was describing code lame. We're tracking on the file diffs between versions so at some point we'll be able to correlate essentially what files change between each version and determine when these source comments are put in and taken out and moved around and stuff like that. So really in conclusion this is a pretty trivial analysis but I think there's a lot of hope here both from just kind of high comedic value but also from a security perspective as we get more and more and more projects in here we have to have more results and honestly we want to have more advanced analysis so people understand. There's a lot to be said about the quality of your comments and the quality of the commit statements and open source software. It speaks about the development process that people are using and how good it is and I think it would be nice to be able to figure out how good the open source community is doing over the years. Is it really just a bunch of jackasses saying fuck, fuck, fuck, fuck, fuck, fuck. So we'll be up at www.ponsesac.com. You can follow Ponsesac on Twitter. We're not trying to be Twitter whores and honestly if you want an announcement I'm not going to mail you all individually. You can just follow us and we'll tell you when it's ready. Thanks to Brian Denney for his last minute of support. Brian, there he is. Brian, thanks Brian. I call Brian up at 9 o'clock on Tuesday. Hey man, what you doing? Why? We've got a big database in no website. Can you help us out? Shit. You knew we shouldn't have answered the phone. Anyway, that's all we got. I think any questions, comments? Mass exodus is plural. Alright, we're done. Thanks very much. Have fun, guys.