My name is Sean Pierce, this is
abusing native shims for post exploitation.  Good
morning, there is more people here than I thought there
would be.
     I'm going to assume everyone is hung over.
     So about me.  I'm Sean, I have a CISSP and other
certs.  That is my Twitter handle.  GitHub and STB dot
tools and sites that I can control.  Just as a
disclaimer.  I'm not a pentester, not a developer, not
an iSIGHT representative.  Why am I using their slides?
They look really nice.
     To that point I just want to say that I love who I
work for and there is just a bunch of great people
there and really smart.  And I cannot say enough good
things about them.  If you want to know more about
them, that is their website.
     Why am I here?  When I was 21 my dad took me to
Las Vegas and we were at the Rio buffet and he said
what do you want to do today.  And I saw someone walk
by with a BlackHat bag.  I said is this going on now,
he said no, but DEFCON is.  So I snuck in.  A lot of
T-shirts and I met cool people and it encouraged me to
get into this field.
     My dad passed away a few years ago, and I think he
would be really proud that I'm giving this talk here
today with y'all.  He really is the reason why I'm
here.  Getting onto the talk.
     A bit of history behind application compatibility.
It's funny and there's a reason why I think Microsoft
has such a dominant place in the market.  They go to so
much effort to keep with application compatibility.  An
enormous amount of effort that you can't imagine.  Just
a simple case study, the original SIM city that ran on
Windows 3.9 or whatever had a free [indiscernible] up
to use bug.  Free some memory.  A free function.  It
says I'm done with this memory and still continue to
use it.  That is terrible.
     But lucky for it the old operating system didn't
really use a lot of memory.  Didn't have a lot of
concurrent processes running and didn't take it back
all that much.  And in the new operating system,
Windows 95 the operating manager was way more efficient
and it would want memory all the time.  This program
would crash frequently.  If you're a user and you
install your old favorite game on a new operating
system and it crashes all the time, you're going to
blame the new operating system.  Microsoft couldn't
have this.  The -- Def team drove down in his audio
blipped and filled up with every -- he could buy and
said everyone take at least three games and it has to
work on Windows 95.  Has to.
     They would hard code things into the operating
system to watch for certain crappy code that was
written by random people all over the world.  And they
would account for that in the operating system.  Which
is kind of terrible.  It was what they needed to do to
maintain such application compatibility.
     And there are other case stories and I encourage
you to read the old new thing, the Windows developers
and testers (audio blipped) put it into a book.  And
some stories are funny.  One where the graphics card
manufacturer wrote the driver and in the driver
specifications, it says do you support this, return
bull lean, true or source.  And the manufacturer
returned true for everything which is terrible.
Because that is how the operating system determined if
it should do something in hardware or software.
     Microsoft called them up and was like, hey, WTF,
and they were like we don't care.  Honestly we don't
care.  Even if we did, we would have no way to push out
a patch.  And even if we wanted to do that, that (audio
blipped) we don't support that anymore and don't have
the source code for it anymore.  Which is apparently a
common problem.
     Microsoft built their own database of what graphic
card supported once and they hooked that function and
did it all themselves.  Microsoft goes to great lengths
to make sure this still works.  Not just for
third-party bad code or dumb programmers, it's also for
os bugs.  Certain programmers leaned on certain
features in the operating system such as this case
study of synchronous buffer commit.  When you call a
right function and you think you're writing data to a
disk, you're putting it to the buffer and the operating
system will write things efficiently to the hard drive
in batches or whatever.
     If you have a database program that is not good,
because you have to guarantee that your file is in a
certain state.  Now, Windows had this function where it
says right everything to this.  Flush the buffer.
Great.  So they can guarantee it worked and developers
loved this because it was efficient.
     (audio blipped) impact.  And then they moved to
like a newer version of the operating system, Windows
95 and they noticed the database program was going
really, really slow.  Turned out Microsoft never
implemented that function.  It doesn't do anything.
When they thought they were flushing something to disk,
it wasn't at all.  Which is terrible.
     So what was Microsoft do with these programs that
are running super-slow?  They knock out the function
again.  Which is hill hilarious.  This line where the
operating system pretends or lies about something
frequently happens between versions of Windows.  Like
Windows 7, that's the major version of 7.  There are so
many programs that had bugs and how it determined what
version something was, they just called it Windows 6.1.
Like that's the function call, what it returns is
Windows 6.1 instead of 7.  But they run on this fine
but fail to run on Window's 7.  They have a lot of
lying when it comes to 64 bit or 32 bit apps running on
64 bit machines and I'll have examples in a bit.
     A while ago Microsoft tried to stop hard coding
values into the operating system and started to bundle
a bunch of stuff together.  There are a few basic
vocabulary words.  A mode and shim.  So a fix is one of
these little things.  This is if you right click on a
program and go to properties and compatibility tab.
Here you can say run as administrator or have a certain
display setting.  It does one little thing.
     A mode is a bunch of fixes bundled together.  If
you say compatibility mode here, then you say I wanted
Windows XP, SP3 or this or that and you get a bunch of
fixes that are already put together.  And
configurations are bundled together in what they call a
shim database file or SDB file.
     What actually happens when a process is being
shimmed?  Some parent process will call a function like
create process or execute, shell execute or something
like that.  And when it gets down the lower level API
calls, the operating system and (inaudible) checks the
registry to see if this process should be shimmed and
sends an undocumented compatible, app come pat, maybe
one underscore, and it will specify what it needs to
do.  The child process does a similar checking to make
sure it shouldn't shim as well.
     So it typically works in that a table, a data
structure in memory called the import address table
holds all the addresses for the operating system
function calls that that program is going to use.  This
is cool because -- including this route kit framework,
compatibility framework, will use -- to hook in
whatever it wants to manipulate.  When I say "shim" I'm
talking about the code that sits in between the import
address table and the rest of Windows API.  And they
made great hooking libraries and told no one about it.
If you dynamically load something, it hooks that too.
The address label from one of the DLLs it does that too
(audio blipped).
     Use for shims -- just for third party -- (audio
blipped) a fix-it patch.  If you are seeing exploit
against your enterprise and you tell Microsoft and
they're like okay, okay, we'll patch it come Tuesday.
Patch Tuesday and a month, I can't wait for that, they
give you a fix it.  If you crack that open you'll see
it's just a shim database file, SDB file with certain
configurations and usually there is some patching
information.  A lot of times it's not a super-elegant
fix but worse comes to worst, it will cause a memory
leak or crash the process before it becomes exploited.
     EMIT, the enhanced -- experience tool kit uses
shimming as well to get a process and either like up
its security by saying you must enforce ALR or must
enforce DLP ..(audio blipped)..like that.
     I want to introduce to you the tool that Microsoft
released that lets us make our own shims.  Called the
application compatibility administrator.  I want to
show you a cool undocumented trick.
     The text is little small.  You need to be an
administrator to install the shim and I'll tell you why
in a minute.
     Here I created a fix.  I specified PuTTY dot EXE
as the program I want to shim.  Here is a file on disk.
I'll tell you why in a minute it wanted the file.
     You'll see here that there's a BUN of fixes that
Microsoft has already made, I'm sorry, modes.  And they
..(audio blipped).. and that's cool of them.  They
provide 300 some odd fixes.  Some of them API TRACER,
API logger, read bios, reroute registry keys, reroute
file pass.  Fun stuff.
     If you go to where that program is and you open up
a command line and then you run the app come pat or the
application compatibility administrator from the
command line with the option of slash X, everything
will look normal and you go through the same sort of
thing.  And I specify that PuTTY should be my target
program.
     Now you'll notice instead of like the 300 some odd
fixes we now have 808.  A lot of them are very
specific, specific to a program.  So you see adobe acro
bat or Norton antivirus.  It's fun to see how Microsoft
was manipulating those particular processes.
     Now I just specified ..(audio blipped).. fixes
called ELL.  And as you can imagine it allows us to
inject any arbitrary DLL into any process we choose and
it runs with that process' rights.  Here I'm specifying
a DLL that I stored in the root directory.
     Now earlier I chose PuTTY.  Say I want this
executable.  And ..(audio blipped).. why.  Because it
went and analyzed that file and said here is a check
some.  Here is a bunch of stuff I can trigger off of,
compile time and all that.  I can use that to trigger
and execute my shim but I removed all those and said I
just want to trigger off the name, PuTTY dot EXE.
     I have to save a shim database file beforehand.  I
specified the file name and I'm saving it to disk.  I'm
going to use a program called SBDINT.  It's found on
every Windows computer out there.  Installing on the
command line here.  SBDINST.
     ..(audio blipped).. it will say installed
successfully.
     >> Hang on a second.
     >> And then it's installed.  Now every time I
execute PuTTY --
     >> Okay.
     >> Wait.
     >> Here is my DLL.
     >> Jesus I've never met a more grabby speaker in
my life.
     >> I always run out of time in my practice talks.
     >> We have Mike on stage.  He is a new attendee.
He is representing all of you new attendees.  How is he
doing?  I have one question for the crowd.  What the
fuck are you doing here at 10 a.m. on Sunday?  You must
be some kind of god or something.  First time attendee,
DEFCON.  Thank you for coming.
     >> Anyways.
     >> Let's talk about PuTTY now.
     >> Also I really like more of a conversation, so
if someone has more of a question, feel free to yell
out.  I do have to roll pretty fast on this.
     Okay.  Everyone good on that.  Just made a shim
and installed it with Microsoft's tool.  This is the
public version of the tool.  They have a private
version that shows more information and gives more
capability on a lot of things.
     I'll show you those things in a minute.  One of
the major ones is hot patching.  This public tool has
no awareness of hot patching.  But in shim database
files you can specify that something be hot patched.
And that is powerful.
     So I said you need to be administrator and you
only need to be administrator to write to two registry
keys and that's all SBDINST did.  I copied the SBD file
on the desktop and dropped it into a Windows folder.
     I made two entries.  The first specifies there is
a program that doesn't need to be shimmed.  And the
second one this is a GUI that points to this one.  It
specifies exactly the path on disk of my shim database
file.  The SDB file.  And I've played with this and
it's funny because you can specify go in there and
change to a UNC path so you have the shim database
loaded over the network instead which is hilarious.
     Those are registry keys that I was referring to.
The current hyphae local machine, that is why you need
admin privileges.  But if you ..(audio blipped).. you
don't need to be admin.  Those are the de-felts.  It
will drop the copy SDB file into.
     If you use standard installer found on all the
Window's machines and install something it will had the
fix to the add/remove program's menu.  You can click
and say uninstall and it will pop it out.
     Bad guys have used this, install it, and
immediately uninstall it because they don't want it
shows up.  That is weird because all it does is add
those registry keys.  If they added the keys, they
wouldn't have it show up.  I have never seen a ..(audio
blipped).. manually install a shim.
     There is a simple rule that I put up there.  It
keys off the magic value.  So what can we do with this.
We can do targeted persistence.  If PuTTY is run every
single [indiscernible] there is some stuff I can grab.
Whatever, I'll show a demo in a second.
     There is this registry key that malware has used.
If you have a program name in it and then you have the
stream, debunker, it will execute your debuger instead
of this program.  So we have a similar type of per SYS
stance mechanism but shims are way more powerful.  We
can do API logging and terminate any program that we
want.  There is a terminate fix, I don't know why it's
a fix.  There is crazy things you can do.
     You're in the process space and can capture
credentials.  You can snoop network traffic Trojanize
any ..(audio blipped). -- there was one interested in
SKATA systems.  They drop a shim database file that
keys off the SKATA software running.  If the software
never ran they wouldn't care.  If it did run it would
grab this information and execute the malicious code
and send back config stuff.
     We can force DLL loaded.  I can force an old one
to load instead of a new one.  I can introduce a 10
year-old vulnerability into a system.
     -- I'm going to show an example of that.  I could
have done in the past UAC bypassing.  But just patched.
I was like, oh.  Just before my talk.
     Since I'm a malware guy I'm into mall ware
obfuscation.
     Processes need to elevate privileges to do things
like direct access to the hard drive or write to the
registry or ..(audio blipped).. is the one that is
usually targeted.  And -- Microsoft quietly added this
feature and didn't document anywhere.  The manifest
file, the manifest part of the binary called
autoelevate and if that was ..(audio blipped).. then
that program when it launched would automatically
elevate to system level authority.  Which is hilarious.
They didn't think it was a big deal because you have to
be signed by Microsoft for that to work.
     With shims there is a fix called redirect EXE, you
see that program running?  Run this one instead.  Just
because.  And run it with the same privileges.  So the
common tactic would be to install a shim and you have
your malware on disk or UNC path and say I want to run
sound volume.  But wait a second redirect EXE run this
instead and my malware has the system level privileges
that sound volume did.
     That's fun.  Here is a sample of the dry dex
malware using it.  It runs SDBINST.  And it uses this
redirect EXE fix for its malware.  ..(audio blipped)..
installed with high privileges.
     A number of malware families have used this.  More
recent in the past year it's become more widely used.
I think after the Microsoft fix, it won't be used as
much.  The Microsoft patch was an optional patch.  And
didn't install by default, FYI.  Depending on your
settings.
     Black energy, roaming tiger, search protect was
infected with it when I began doing my research.  Just
potentially unwanted program.  It's not that big a
deal.
     [indiscernible] update, spelled weird.  Dry dex.
There are a few other malware families.  Black energy,
particularly the second variation is interesting
because it's been around for a while.  Used for cyber
crime and then picked up for use by ..(audio blipped)..
Way more sophisticated with 64 bit plug ins and used
shimming for ADP bypass.  They used another fix called
disable NX show UI.  It disables the NX bit.  You can
execute stuff on the stack.
     That was funny.  The second espionage group to do
something with it was called roaming tiger.  An ton, I
want to butcher his last name.  Outed last year by my
company.  Sand worm.  This group was outed by ESEP at
zero knights last year as well.
     Here we can see, may not be easy to see, but we're
using John Ericson, his STB explorer to analyze the
file they dropped.  They say I don't want any of the
Microsoft predefined fixes although there are plenty, I
want my own fix.  Which you can do.  So their fix
applies to explore [indiscernible] and all you need to
do to make a custom fix is make a DLL that supports two
functions and a shim that says use this DLL.  That's
where the fix is.
     Pretty simple to do.  So I'd like to show some
examples of how a pentester might use this or malware
might use this in the future.  There is anti-analysis
examples I'll get to.  I like the idea of old to new.
You take an old crappy piece of malware and when it
runs on a system that you compromised, you can specify,
change this at run time.  This IP address is this IP
address, this is ex-flowing to this location.  If a
responder came across a computer and finds that this
malware is running and you can make a simple thing and
he dumps it or gets it off a disk or runs it in a
sandbox and says it's doing something simple, speaking
out to this IP address or whatever, search for a domain
name or whatever, we don't see it.  It was hard-coded.
Little did he know it was changing dynamically at run
time.  And instant responders should be aware that SDB
files can do things like that at run time.
     PuTTY ..(audio blipped).. with an inject DLL fix.
Where is my mouse?  There it is.  We can inject an
arbitrary DLL.  There is a cool program out there
called PuTTY writer.  Adrian Fortuna.  I'm sorry if I
butchered your name.  It's cool.  It's a DLL that when
injected into PuTTY will hook the input and output
networking and will use a connect back to send you that
information.  So all you have to do -- I just ran PuTTY
on the left to show you it's PuTTY.  On the right is a
Linux machine and I started net cat listener.  Here
I'll go through the same deal where I make a fix and
apply it to PuTTY.  And I specify PuTTY writer and that
..(audio blipped).. no matter where you execute PuTTY
from.  If you're executing on this machine, it will
inject PuTTY writer and connects back to my shell and
shows everything that user is doing.
     Which is awesome.  You can also configure PuTTY to
execute a command upon connection.  So if I were doing
malicious things I would specify the command of put
this key into your authorized key files in the dot SSH
folder so I can ..(audio blipped).. drop something.
     There I'm specifying I don't want any of those
things if PuTTY came out with a new function.  They can
change the send and receive functions.
     I don't have a whole lot of time.  So there I am
installing the shim from the command line and then
deleting the file.  Here I'm running PuTTY and PuTTY
writer was automatically injected and connects back to
my net cat listener on the right.  And here I am
legitimately using PuTTY.  And I can see all the see
strokes coming across, including the user name and
password which happens in two seconds.  The SSH service
is being super-slow.  There you have it.  I can watch
everything they're doing.  Inject a command in there.
Fun stuff.
     Thank you.
     The second example I'm going to show you here is
when I'm going to use the correct file path fix to
redirect a path.  Over on the right there is a network
share that I opened up.  Controller/catch is the share
name.
     Here I'm making a shim specifying FireFox.
     I encourage all of you to check this out and look
at every single one of these fixes documented and
otherwise.  There is a lot of fun to be had with these
things.
     With the correct file path fix, with the correct
file path fix, it would fix some program that was
hard-coded to C:/settings to C:/users.  A lot of
programs made that mistake.  That's terrible.
     But they did that.  They had lots and lots of
..(audio blipped).. and that kind of thing.  With that
I'm say don't do that.  I do that here, I found the
FireFox profile and give it a semi-colon and then the
new path.  I remove all the parameters, all the filters
it can trigger off of.
     Fast forward this a little bit.  I'm saving the
file and installing it.  Deleting that.  If original
SDB file.  And FireFox.  Here on the right it's
redirecting all its stuff across my network share.
There is key 3 dot DB which is where the passwords are
stored.  There was no prompting from Mozilla or
FireFox.
     Another example.  I mentioned subverting system
integrity.  That's a big thing for me.  I prefer
stealth and misdirect to war games and red teaming and
all that stuff.  Here I'm demonstrating autoruns.
Awesome fantastic tool, it will show you tons and tons
of places where malware will really enjoy planting some
code because that is how it can get ..(audio blipped)..
when a user logs in or a machine boots up.
     I have several versions.  I'm going to rewind this
a bit.  I just downloaded and compiled Dexter which is
a POS malware.  It's right there on the dex top.  We
can see with autoruns it's detecting that registry key,
it has something really suspicious in it.  You can
right click and go to value and it will pull up regedit
and show the exact registry key that it found that was
so weird.  Here I made a shim which is awesome if I
don't say so myself.
     And here I'm redirecting file -- the registry
keys.  So that when it looked ..(audio blipped)..
particularly common one.  It redirects it to an empty
registry keys.  So all these versions will not detect
my malware anymore.  It shows some other tools in there
like processes -- prop dump and I added an EXE fix.
When someone tries to execute those, it will fail.  No
way around that.  You can just change the name of the
process or the file and it won't be shimmed anymore.
     So that's hilarious.  I can shim autoruns.  And
even better, I've also added a shim for regedit.  The
registry editor built into Microsoft will not detect my
malware anymore.  It will not see the malware key.
     The latest version of autoruns does something
different and my default registry redirect shim doesn't
work on it.  So it will show up for the latest version
but none of the prior versions.
     Here -- let me back up just a little bit -- here
this showed up in the latest version, 13.4 and I said
go to this registry key and it's not there for regedit
which is hilarious.
     Okay.  So moving onto the malware which is my
favorite thing.  I broke it down into three categories.
Benign executeables which is PuTTY where you use fixes
to make it malicious like load library redirect.  Do
hot patching where we could hot patch, overwrite the
OEP, the original entry point for the executable if you
don't know, and we could make our own rock chain and
use native code there to build out some malicious
stuff.  That is tedious.  So the next category is I
would say dependently malicious software.  Malicious
executable.  There can be a kill switch in the program
that without a shim installed on the system, it
wouldn't be able to get around.  Like an ignore
exception fix or you can hot patch all the jump
instructions of the program and redirect the program
flow at run time to do your malicious deeds.
     Tons and tons of ways to do this.  There is just
an infinite number of ways you can make something bad
or from bad to worse.  The last category was
obfuscated.  I have some shell code up there that I --
[indiscernible] and pull that out.  I'm sorry if you
can't see.  I just got some shell code.  And here I
have some assembly that was label, label.  And that
processed ..(audio blipped).. instruction which is an
infinite loop and it jumps to itself over and over.  If
you execute this program it will just stop there and
jump to itself over and over again.  No way around
that.
     There is a shim here that I made with SDB explorer
that creates a patch that knocks out the EBFE
instruction.  When malware is running on the intended
victim system, it will be malicious and call the shell
code.  If not the IRR guy that dropped it in a sandbox,
nothing is happening.
     This is how I make and install that B file.  I use
John Eric sons slash C and have that config file.  That
is the output of the program.  Output dot SDB and
install it.  You can use John Ericsons explorer to
install an SDB file stealthily.  Here is something
else.  I have -- mess with this code because I
shortened it to make it easier.
     I have some shell code, malicious shell code.  I
have the shell code key.  I made it the same length.  I
do simple obfuscation.  It tries to execute the result.
Why not use a single byte key.  I can make a shim that
patches over this key with a value that I choose.  I
can decrypt this to anything I want.  I can make it
benign and maliciously, say I want these bytes now to
be exploit code or something else.  I can do that quite
easily.  I think that's quite exciting because when you
have this kind of hacker type stub in the shim, you
don't have -- on file or in the malware and you don't
have it in the shim but it will only be produced
dynamically on the target system if you so choose.
     So for those of you who want persistence, here is
the config for patching explorer dot EXE for Windows 7,
64 bit, X86 and Windows 8.
     So, sorry, I have to run through this fast.
Current prevention for this.  I made a number of good
tools.  You can disable shimming through -- Windows
uses this stuff internally.  When you go into
compatibility mode it's using a shim.  If there is a
program named install dot EXE it's elevated through
shimming.  This is important.
     If you have -- it's automatically elevated in
Windows.  You can remove the shim engine, the thing
that is doing the patching.  That is not recommended
because other things use it like IMIT.  You can resolve
the SDB installer.  That is a good start unless you're
applying fix it patches to things.  The bad guys can
use the manual install method.
     And you can always allow no administrative access
to that box but that is probably never going to happen.
The current tools out there, I talked about most of
them, the public application compatibility tool kit and
manager and the installer SDB is on every Window's
computer.  [indiscernible] database values and all the
documented.
     Shims dot EXE is made by a guy named David Tomets
or something like that.  I told him I was giving this
talk.  He is like that is cool.  I said can I demo your
tool.  I said can you send me a trial version.  He is
like, no, you to pay for it.  Or you can just let me
demo it for Screenshots and he's like no, you have to
pay for that.  A parser, since shims are checked all
the time because ..(audio blipped).. execution all the
time, they had to cache that information.  It's a great
place for forensic value that a program was executed.
     None of these programs, nothing out there helps
defend or prevent malicious shims.  I made a number of
tools and break them into three categories.  One is for
detection.  You can scan a file for -- you can scan
something so you can determine if it will be shimmed or
not.  It will tell you, yes, this would have been
shimmed and the thing that would have been applied to
it.  There is a shim process scanner which scans every
process in the os.  I've only tried it for Windows 7,
64 bit.  But it seems to work.
     It does that through checking the DLLs that are
loaded into the process and see if they're the shimming
DLLs and it checks the registry and it checks the PED
flags.  Undocumented flags in the process of the
environmental block structure.  And then I made really
basic script to check for -- to see if the DLLs are in
any of the processing spaces.
     Shim guard, I made this for the purpose of
preventing shim from being installed but it's hard to
do because I would have to mess with the permissions
and when something tried to install it would notify me
and that got too complicated.  I made a PowerShell
script to alert as well.
     I made two plug ins.  One for volatility and one
for autopsy.  Autopsy is cool.  You can load the imager
and whatever else.  You can search for things on it.
And in the future I'll start doing more stuff with it.
And I white listed a bunch of hashes for known STP
files.  And volatility is the open-source live memory
forensic's framework and I made a [indiscernible] for
that and made it search for SDB files.
     I give Microsoft a lot of crap but they did an
enormous amount of work.  I love how the quotes say
nothing is available to bypass except for the redirect
EXE or the load library.  No harmful code can be
injected into the process except for the inject DLL fix
or custom fixes.  You're not opening any additional
security vulnerabilities.  You cannot use shims except
for the disable, or hardened fix or disable defender
fix or disable SR or DNX bit fix.  There's a few others
out there.  I just want to note some prior work.  Sorry
for the guy that was trying to take a picture of that.
I'll post it online.
     This is a great reverse engineer.  He started a
blog called secrets the application compatibility
database and he didn't finish it.  He stopped half way
through.  I found these guys, they blogged about
something a while back.  I wish I found this sooner.
Mark was one of the first ones to talk about this in a
security context.  And John talked about this last year
at BlackHat Asia.  Particularly patching the shim
engine stuff.
     Special thanks to my peeps, John, Greg, Wyatt, and
Patrick.
     I made a lot of my own string handling functions
and Patrick said it made him want to stab out his eyes
and that was good insight for me.
     Other resources for this stuff.  Shims blog.  And
I just want to say I apologize.  I'm sorry the
application compatibility, I'm adding more load to this
crap because I know so many people hate it and it's a
pain to so many people.
     I don't think we have time for questions.
     Out in the hall I can.  So I'll talk to you, I'm a
little hungry so I might try to get food while people
are talking to me.  There is my GitHub and there is my
Twitter and my email.  You can email me.  That's it.