>> So, we've got, uh, Amir, CJ Hahn and Mike and they are going to hack 45, or 20 devices in 45 minutes. Let's give them a big party track welcome. [Applause] >> Charge! All right. Good stuff. Hello everyone, I wanted to welcome you to GTV. Hacker presents hack all of the things. 20 devices in 45 minutes of GTV hacker production. So who are we? We are GTV hacker we form to route the original Google TV in 2010, we released exploits for every Google TV devices since then, plus some others including the chrome cast locator and many more come today, you guys will really enjoy this presentation. So who are we, the speaking members today you will get to hear from, are myself. I work at Accuvant as a research scientist and I funded the GTV hacker group. There's CJ here, he is a security researcher, group head at a nonprofit. We have Hans Nielsen, he is senior security consultant at Manasono. And we have Mike Baker, MBM former developer and open Cofo or opener WTR cofounder. [Applause] >> So who are the other members? There's only able to be four of us on stage to present and we have roughly eight members. We have Gina Fage, he's actually running the CTF right now. He's part of the GPS. We have Saric who was the creator of Syvia. We have Qua Han, who is the student and, uh, has a triple test apparently. [Laughter] And, um, we have Tom Dwanger who goes by TV owang and he is our APK reserver and really just handles anything Java. Um, so why do we hack all the things? Well, we own the hardware, why not the software. We also really don't like devices to end up in landfills. When a device hits its end of life, you know, it's -- It cannot be really useful anymore it, it could just -- essentially it can kill a device like, in the case of Logitech review if any of you are familiar with it. Um, we also always aim to make the product better. If we can do anything to make the product better, you know, give it more functionality, whatever it is, you know, we do it. Last but not least, we really enjoy the challenge. You know, it's, it's like solving a puzzle. You really just -- you love it when you win. So what takeaways are you going to get today? So -- [Laughter] So you got a root, you get a root! No, so what takeaways? So essentially, 20, 20 devices in 45 minutes doesn't leave us a whole lot of time to spend on each device. What we are doing is -- consider this a show case of things that will be added to our Wiki right after the conf -- uh, our presentation. We're going to give technical details, um, hardware diagrams, everything we can. 'Cause it's gonna be pretty hard to read and we're not gonna give everything a lot of time. So, um, you know, you see the, the link at the bottom of our slide deck DC22.GTVhacker.com. Visit that right after the presentation. When we get back to our hotel, we will kill the basic off on it, and you know, you will get access to all of the stuff you saw at the presentation. So let me introduce Hans. >> Thank you, Amir. So there are a limitless number of ways to attack these kind of devices it does everything. Uh, today these 20 devices we have three main methods that we're gonna look at. We can use UARTS, serial ports to talk to debug ports and get into advice it where we shouldn't be able to. We can use EMMC. It's SD card like, and we can just connect to that and use that the modify storage directly if it will let us access, uh, device operating systems and also just a whole bunch of command injection related bugs that they are very, very popular in consumer electronic devices. So with no further do, let's talk about a whole bunch of UR base tasks. So what is a UR? Usually, they are used to interact with debug ports on a board. In consumer electronics they generally not used for any actual functionality. They are just used for the manufacturer to connect to it and debug stuff, that kind of thing. It's a very, very simple interface. There's one wire for transmit, one wire for receive and one wire for ground reference so that everything works. The protocol is simple, it's been around forever. It's way older than I am. Uh, how old are you? >> I am 27, thank you for asking. So yeah. It's, it's this great simple protocol that shows up in all kinds of places because it's really convenient to use on these devices. Uses all kind of different voltage levels, there's the serial port, you're familiar with on your computer. Hmm? [Applause] >> So we have a few free UR adapters to give out at the end. You can go play with your own devices with. I hope you get as much use out at them as we do. So what do we look for with we are trying to find a UR. Usually they are pretty easy to spot on boards that consist of three or four pins usually in a line or little square. You can get a -- the sole scope poke around the board try and find things that look like they are spitting out data you can see the way they form. So without further do, let's get started looking at the actual devices. The first guy here is -- it's a printer. Okay, so we have this network all-in-one photo, scanner, printer whatever thing. It's running Linux, everyone is running Linux. So, what to do with this guy here? So, if we take a look there's -- here's a board shot. So, throughout the presentation we will show you board shots along with the place on the board where you can see the ports accessible. If you look off to the left here, you can see where we solder on these four wires to the UR port and you can see it has that classic, you know, four pins in a row arrangement. So, right there is our UR. Okay, awesome. What can we do with that? Well, when we turn the printer on and have the UR connected, the printer gives this cool console menu, okay. You know, it's got useful things like, reboot the printer, reset the settings or run arbitrary shell command. [Laughter] So, there we go. We didn't have to do anything. We got the shell there. With that shell -- run shell command we can run whatever command we want and then we can go have fun playing with our printer. The Belkin WeMo is Internet connected wall plug, basically you can use your phone to turn things like, a coffee maker on and off. It's, it's been wildly exploited by various people and, yeah, it's a tiny fun little device. So, pulling this open, you know -- a little hard to read there but often the -- off to the left of center, you can see the transmit and receive pins there. Once we hook up a UR to that, what do we get? Well, the Internet tells us that, you know, it's batch they can fix that. It turns out that, no. They didn't quite get that. So, during recovery you actually have two seconds to insert a command. Okay, so what do we do about that? We can just run this single command down here at the bottom. It kills the scrip that reboots it and then there you go. We're running this root in recovery. We can do what we want. Cool. So, this is a fun little embedded device. It is just a gateway thing that controls smart light bulbs. Um, kind of, kind of like the Phillips view if you've seen that. It uses ZigBee. ZigBee is a pretty popular protocol that we've seen in these things. I know there's been lots of great talks about ZigBee here already. Um, so, yeah, this thing is kind of fun. It just has a power PC. Who uses power PC these days? You know Apple hasn't done that for -- who knows how long. It provides an SSH server when you run this thing. But we don't have credentials for that. Okay, too bad. What else can we do? UR. So, look at the board you can see those cool little test points down there at the bottom, the, uh, red arrows. There's the transmit, there's the receive. The, uh -- it's really fun trying to find these things. Because they always king of just standout. You're saying, what is this? Plug in your multimedia, plug in your scope connect to it and see, is there stuff coming out of here? Can I do anything with it? So, cool. We have the UR here and it has U-Boot on it. It has you without settings changed on it's just U-Boot. What is U-Boot? The U-Boot is the boot loader that lets us load and run Linux. So, we can talk to the boot loader now we can do anything. We can re-flash the device, we can change the kernel command line. What is changing the kernel line let us do? When booting Linux you can provide it with a bunch of options. You know, how much memory does this device have? What port do I want my serial dongle on? What is the first program I want you the run once you've loaded that file system? So the end argument, you can pass BNSH to that. What does that do? It responds the shell as route. Cool. Really easy way to get past all of the various other initialization scripts that might lock settings down and not provide consoles. It skips all that goes right into a route shell and then we can do whatever it is we want. It turns out the thing that we want it to do is crack the route password. So, we grabbed that password instant green it's good stuff. The file transporter. Another device that came out recently. It's kind of neat. It's basically a cloud-mass sort of. You have this device it had this big'o hard drive in it, leave it on your home network. Through their service, you can connect back to your home device and then access your files. Great. So, you know pretty standard kind of device it's running Linux running ARM builder grace user land which is a fun thing that we haven't as much of these days. Builder it's awesome for those of you who played with the WRT54G back in the day. Lots of fun there. So pull this thing open -- oh, hey look at that they even gave us a header. Often we find that there are headers in devices, but they are not populated. In this case, it was populated. So, again, we have a U-Boot shell available. Which lets us change the kernel command line again and get that route shell and do whatever we want to with this device. Which is awesome. The co-star LT. It is the successor to the video co-star. Which was a Google TV. This is no longer a Google TV, which is funny we don't even hack Google TV's anymore. So ignore the arrow the arrow you don't want to look at the arrow. You want to look at the little red and white text on the top left there. There is the classic four pins in a row layout. You can see the transmit there. So this is a fun one. Because when we first turned it on, you know, we saw three lines of the output from the UR. It's basically saying, hello, it's the kernel, okay, external. That is it. Nothing. Okay. That was weird. At some point we left the flash drive plugged in. And said, oh, I don't understand the file system on the flash device. What do we do now? Try 532. So format is 532, and plug it in and try it. What do we get? Hey, I can't find FS dot SIS. Okay, that is really suspicious. So we did a little bit of research into this, and turns out that FS dot SIS is a U-Boot script image file. Which is a file that U-Boot will load and execute arbitrary commands from. Cool. So we can then use the same tricks we used with the previous U-Boot hacks and modify that and make the argument with the kernel again. And with that we can get root. Along with FS dot SIS there's this safe kernel dot image one. We can use this to boot an actual complete different kernel just from the USB flash drive we just plugged in. Awesome. The stables connect is just another small home automation. It's rebranded OEM hardware. We have seen a lot of this stuff. It has WiFi, it has a USB port for plugging in your hard drives, whatever. What do we have here? Hey, look it's a header. Look, there are receive and transmit pin on it. Sweet. What does that get us? Well, it got us a restricted U-Boot environment. So what do we do here? Well, the obvious answer, if we short out pins 29 and 30 on man chip to ground while it is booting. The U-Boot is saying, uh-huh, and resets everything and, uh, there we go. We can actually just type commands into the U-Boot console again. So after we reset all of the various properties and commands. We can just get route on there and congratulations we have now rooted this. We can also crack the password for this one. This was not a very hard password to crack. But it is useful to know that. At this point, I would like to introduce CJ. [Applause] >> All right. So I'm going to talk to you as he pointed EMC flash is pretty much an SD card on a chip. The thought was that you can take an SD card, put it on a chip and not have to worry about any extra magical bits. A flash will have extra bits that handles error correcting code stuff. So drop the flash on there and then you can ahead and use a normal file system, access it like an SD card everything just supports it, it is great. And hacking wise, usually you can get into it rather cheap readers. Which we are giving a few away, totally free. We have, um, since EMC is pretty much compatible with SD cards many EMC readers can be used. If you're looking for -- figure out -- you know, you have EMC flash. It's BGA. You need pins to find it. So the thought is, how do I do that? You can first look at it by resistance. Furthermore, you can talk about the board design. Sometimes things will be labeled. You will see resister numbers and figure out increments and whatnot. Also, the command lines and the cock lines tend to be on one side of the flash while the data line on the other. And if has doesn't work hook it up. If that doesn't work, then you pull the chip and trace it. Which is what we did with the Amazon. For that picture, although small is a BJ flash pulled and wired up to an EMC reader so we could get a dump. But speaking of the fire TV. As we know, this is our device number seven. It's a snap dragon. Which is just a modified -- well heavily modified android. So EMC on the left. Uh, two boxes, my first box I found the pinup, I couldn't get it to work. So got a second box, pulled the flash, realized, no, I was right. But somehow in the process killed the first time. So third time is the charm got it, rooted it, it's fine, it's great. It is on the Wiki GC22.GTVhacker.com and on the right we have UR pin up, not a lot of information. So moving on with the EMC. We have the high sense android TV. It's a Google TV, sort of, they rebranded it to kind of lose the stigma. Uses a slightly newer processor. Last year at DEF CON, we demonstrated how to bypass. It was a nice little bug. But moving on with this high sense, which is a quadco CPU used Android 4.2.2. We bring up the EMC again. So pinups, we have pinups. Data zero for a data line. Command clock ground and power. That's all that you need. Usually easy to solve the two. The resistors are small but you're not pulling the flash. With a high sense Google TV pretty much what you do is mount the factory setting partition. Which, um, by the system is mounted with no printers. So no, no SUIG no, no, you can pretty much dump whatever you want on there and fund it as a non-user. So wire it up, bounce, bounce factory setting partition which contains a bunch of DRM stuff. Which usually you don't touch it. Which is good for persistence. Giving it a good the command you get to execute through ADB and just elevate it. You could also modify system, which pretty much holds the general or less and then put on super SU, but I like a normal, you know, static SU binary. Moving forward never say something has never been hacked. In 2011, the post office put out an ad stating that a refrigerator has never been hacked. I didn't have the room or the --pretty much the reason to spend $3,000 on a refrigerator. So finally got to do the second best thing, buy parts for the refrigerator. Into the LG smart fridge. Runs Android 2.3. Which is a bit old, but, okay. Its brains of the fridge it controls ice, compressor, water pretty much everything. Normal usage you would use it to track groceries or say I drank this much water today. It has WiFi, USB and an SD card. So the first thought pull it open. Again, big pictures on the Wiki. So what we did instead, went through AMC. You got to go the hardware. You go to AMC and mount system as with the fire TV what we did instead, we pushed a normal android launcher when the system boots up, it asks you what launcher. You can start the normal 1 and then run your own apps with ease. Since we booted the council, the skill was zero, that meant they didn't even try. Now moving on. The hardware stuff into command injection. So, just a heads up. User input cannot be trusted. Do not use shell commands in your ZIP code. Again, never ever trust user input. If you do, please escape your commands. This counts to system as well. You are seeing manufacturers that will put in an LS and then pull variable S into the system and then say I passed into the variable. It will execute LS semicolon that tells us let's execute a new command. That will happen at route. So a perfect demo of that. A series of VIZIO smart TVs It is a little bit old, but still widely available. And full -- has life -- um, the smartness could be better. Again, it is a little bit old. TV is nice and thick. So there is a command injection with the WiFi password. You go to menu and network and select WiFi. If you type in these commands, which I will explain in a moment, you can have route over UR. So pretty much what we do is take USB run, which we are some to give away very soon. And enter the first command, which makes it a character note, that pretty much tells the colonel where to send the data to where we want to. You have a major and minor and runs the data properly. Give it a minute or two, it will error out. And takes the input and sends it to the shell, and everything from the shell to the character device. Which is great. We have route over USB. So that is device 10. Moving to device 11. The Sony Blu-Ray player. It is a Blu-Ray player. It runs Linux. WiFi, Netflix, vudo, smart apps. Keep that in mind for a second. Next up we have the LG Blu-Ray player. It a Blu-Ray player with the same chip set. They are pretty similar. And we found there is actual a bug in the supply packages from the major manufacturers that effects many players possibly many more than this. If you put a TXT on the drive in a folder called voodoo and a file SH, at the comment -- commands in that overrides the password. We didn't want to crack it, just zeros it out. You press voodoo and you get it on many players with the same chip set, such as the next one, the Panasonic EDT230. But that is easy. We found another one on this, just because. So picture the board. We have UR -- that was rather important for us in figuring out this bug. At times the debugging output comes across the pins you would not normally see. We are able to see it there. There was a command injection in the network folder name. So timing in a command, which we only noticed because of the UR. We were able to inject commands in. So now I will hand it off. >> Thanks, C.J. So next up is the Motorola raiser. I'm not going to talk about android. This is an isolated processor separate from android. So the communication between android and the base is done over a USB network connection. The base ban listens on the USB network port of, runs a diagnostic script and it runs that diagnostic scripts a root. Now, if you actually go and you look at the script, the running -- a busy box command, typing the file name through us. This means that using the file name we can do an injection. So if we have the file name that contains the, this X01 system we can inject any command that we want and run it as root. So next up we're going to talk about the polo plug mobile. This is a cloud storage device. Also a NAZ. You can plug in a USB drive. We have a UR on it. This gives us access to the boot logger and the root shell, but we also have a command line injection using the web page. If you go to the SQ plug page and you add an action command, you can inject arbitrary commands. They all runs a root. So if we move onto the net gear push to TV. This is a set top box. We have the UR pins and through the UR we can interrupt the boot loader and through the boot loader we can also control the Linux and run our own commands using the same injection that we talked about earlier. Now, if you happen to miss the boot loader, you can also run commands using the root shell for a few seconds. And we also have command line injunction via the web interface. You set the nickname of the box, that is root. So semicolon, whatever. And you can make this persistent if you want. You can mess around with the SDI. You is set the default you boot environment variable. Set whatever you want to run at you boot the next level. So moving on, we have the OMOTELO. This is a voice router. It is running open WRT. And we have a UR again, this is using console login, but we are talking about command injection. So they already have the SSH running. It is just firewalled by default. So what we need to do is to inject a command to change the firewall rules. And we do this using the web interface, we can inject whatever commands we want and we're, we're going to show you on the next slide the actual command, but we want to point out the default root password is the exclamation mark. We had fun, we dumped the file and started a cracker. The default SSH is only available on the LAN. There is no risk there. This is the web interface. If you look at the arrow there, we are pointing at the command. If you type in the command with the IP tables rule, that gives you access to the SSH. You can use the password that I just gave. So next up we have the Net gear. This is the media device. It is flash-based. So everything is in SWF file. This is a secure broad com SOC with encrypted updates. So early on this box is signed so let's take a quick look at the UR. Again, this gives us access to some things but we're going to talk about the command line, or the injection via the web interface. So when it downloads an update, the updates are downloaded over HTTP. This is a really bad idea. So if I pull down one of the apps, pull it open, I can inject a malicious link and traverse the file system and dump files anywhere on the file system. So if I repack the app, put a man in the middle, and my version of the app using the update, I can drop a root shell. So moving on. We have the HSQ. We are also hacked this previously. We had an app available on to play store. Unfortunately Google pulled it. They don't like these apps. Let's talk about how to get back in. If we mound a SMB share. We get the permissions of the SMB share. We need to set up the SMB share with the SU binary and we set the bit. We can get into the queue, run the binary and we get root. So now I'm going to hand off to Amir. [Applause] >> Thank you, Mike. So let's, let's start having some more fun. Let's get more interesting devices here. I'm going it talk about the summer baby zoom WiFi. So what this is, it is WiFi baby monitor, and custom RF and marketed as a secure baby monitoring device. We always look at the UR. Here is the UR connect. It is a little bit hard to read. Again, go to our website after the presentation. This actual bug the first bug, they have hardcoded user name and password on the device that the binary uses to communicate with the web interface. Now, you know, this is a terrible practice. From a secure standpoint you don't want to hard code credentials in every single place. So if you can see below the credentials are leak, speak, MS admin and authenticate is the password. So let's get into the hard coded user name and password. If you call this, you can see it lists three users. Two of which have different user rights and then the hard coded user name and password has admin and the snapped admin the one with specific password that changes with the device. So let's get into command execution on this device. The passwords are cool, but command execution we want to look for. So system GT is a binary that is accessible and uses SSH and a post if executed with system as root. If you can see below we gave an example how you can make a call. Every time you enable a Telnet server, remember most cases it is probably not going to be password protected unless you are passing like a dash L slash login, that tells someone to connect to the device to run slash login. Normally we do dash LH, so it drops you a root shell. Don't leave that open. You don't want people connecting to your device. Let's be safe here. So 20 devices. That's cool and all, but this is DEF CON 22. We want to take it one step further. So why not 22 devices? [Laughter] So we figured and actually, this was a, it was a lot of work to come up with 20 devices to hack. And more work to get 22 done in the period of time before the conference. So let's get into the next one. The next item on our list is the Samsung smart cam. This is similar to the summer WiFi baby zoom pro, but just a standalone camera. Doesn't have a handle or a monitor, doesn't pan and tilt. It is just a network camera with a speaker and a microphone. It has a web interface and a mobile phone for remote access. Yeah. So let's get into the UR adapter. Again, you can say a populated pin header. And we note the bad settings and the connection settings at the bottom. And it only does console logging. So it is rather interesting. We found this guy after looking at how this process logins and creating the original administrator password. You first setup the device. They don't look at the password is set. You can call the script to change the password on an administrator password that is already setup. So you know, it's a nasty bug. So the script does the odd check, not on the new user. This is only accessible over the LAN. So command injunction on this particular thing. Now, they, they set up a wireless, wireless settings for your wireless network at home, and even set up a WPA2, WPA or open network. With the WEP, it is put into a config file and pulled out a little bit later and pulled out and stored into a command. You get command injunction by inputting a shell -- escape command into the WEP key. It can be exploited without physical access to the device. How it works is in order for the bug to get triggered, you setup your WEP key with the malicious string, and to get it to do the connection, you have to unplug the network cable, unless it is connected over WiFi. If it is connected over WiFi and you change the WEP key, it could disconnect you, and you could lose access. You know, it's -- it means the physical access essentially to trigger. The more things the web interface runs as root. So root command injunction by changing the web key. In this particular screen shot. We show where the command injection occurs and do an example of enabling the root shell. I mentioned earlier, SL tells us to pass new connections over to SL/. So this is another one that you don't want to do and leave running on your camera, unless you add another user. So that's the route on that device. That's our 21st. I'm really excited to tell you guys about the 22nd. Mostly because I see so much potential in this device. Mostly for us hackers. This device is called the wink hub. I really like this device, mostly because of the peripheral it has, it has a Bluetooth, chip set, and a TICC1101RFSDR and it, you know, with little of work it could be a good RF toolkit for the hackers. This is a home automation gateway, it interactions with setup APIs and has all of the communication methods so it can contact your devices and have their on-line of devices from a prone pain gauge, to humidity, light, and motion sensing and smart locks. So the thing about the device. We will get to the information in a second. So this is the board. It is a pretty board. Everything is compartmentalized. It is broken out. The other thing about this device, it is under $50 device. There are deals where if you buy peripherals you can get it for free. If you are interested in RI stuff, this is a cool board. It has five antenna, it gives you the ability to communicate with every snort device you can think of, if there is API available and wink has chosen to support it. So the wink hub has a command injection bug. If you -- don't read PHP, or know PHP. You can see there is a pseudo command that takes in a note ID and an attribute ID passed in by the variable. This goes through the password, and then it is pushed in past the output of the command. So really cool. Take it home, go buy one. You can root it and have a lot of fun. Now, probably what you guys have been waiting for. Let's get dual core up here for a little, a little fun. [Applause] >> Got it. Anyone? [Laughter] I can tackle things, but it will not turn out well, I promise you. [Laughter] Okay. Sweet. Come on, buddy. Okay. Good times. Just play. It doesn't seem like fun. We have a light show and fun. Okay. I see him -- let's welcome M80 to the show. Come on, guys. Look at him run. That's a dedicated rapper right there. Thanks, buddy you saved me. Okay. >> Rap music and rap music accessories. >> So while, while he's rapping we're going to walk around and handout adapters and dual core CDs, and chrome cast, and adapters, we have roughly UR adapters a lot of fun. Cool lights. There is a lot of fun, guys. This is the party track. Let's make it rain. [Applause] >> Please make noise for the hackers hacking all of the things. [Applause] Now to be honest that is a cheap ploy to catch my breath. My name is M80. You might have heard our songs. I want to give a shout-out really quick. Anyone here hack cars? Cool. My friend published the car hackers' handbook. You can download it on-line and buy it on Amazon. I have a couple of copies in my booth in the vendor air. If you have cars, come talk to me about car hacking shit. All right. I'm going to do rap music. Probably run out of death and die. And I get you guys to officially DJ, like my DJ does, and hit the space bar to start the song. >> Ready for this? Tell me when. >> All right. Count it down. One, two, wait, what comes after two? [Music] >> I'm going to take the booth. You guys yell, hack all the things. Whoa, given up, a disaster recovery. Proof it on my C64, and fluid into orbit. With eight straight perfect. The motion make circuits, the case you heard, the namesake service, optimize the run time, because then it just flows the code. So before it is after, there is a rapper, with humans, the theme that destroyed recapture. Finish this chapter, we're not anything to hack into NASA. We drink all the booze. Drink all the booze. Drink all the booze. So we drink all the booze. Drink all the booze. Drink all the booze. 0 to 3, running every single day. I'm just waiting until my blackberry dies. I will replace it with a raspberry pie. Instead they are at the BX heaven. To the high stress. Quit school when we hit X. They didn't run the form. So we got a print F. The next check. Crushed Internet MCs, hacked by pineapple. I don't think you will like my Snapple, because I have mine with a cyanide capsule. Are you guys ready to hack? Here we go. We drink all the booze. We drink all the booze. We drink all the booze. Everybody so we drink all the booze. Drink all the booze. Drink all the booze. First we drink all the booze, than hack all the things. Hardware, service or encoded. Connected to the Internet, someone is going to own it. This is for the pirates, around, dragging you down. Hack on -- the challenges devices on-line, you know the challenges, so undercover, this is what we're doing with the burger. No. I think I need to earn one of my burns. Drink all the booze. Drink all the booze. Drink all the booze. So we drink all the booze. Drink all the booze. Drink all the booze. Zero, two, three, every single day. Hack all the things. Yep, make some noise for the hackers, guys. [Applause] We did it without notice and without pay. He is a great guy. So real quick, let's go to the slides again. Where are we add? >> We got to get out of here, soon. >> Wow! >> Okay. >> So we're going to have questions in the Q & A at the chat lounge and a big thank you to -- so a big shot out to DEF CON, and dual core -- we'll have our slides after we get back to our hotel room. We can push the switch and Wiki forms. Go to our blog. And I got to exercise more. [Laughter] Follow us on Twitter. We don't bite. We love hearing from the community. Thank you, everyone for having us out. We love you guys. Thank you again. [Applause]