00:00:01.201-->00:00:06.039 >>Hi and welcome to the internet of vibrating things, I'm "goldfisk" >>And I'm "follower", 00:00:06.039-->00:00:12.713 and we're much more exciting than Mr Robot. >>Aah,yeah, so please set your phones to 00:00:12.713-->00:00:17.718 vibrate and we'll begin. [applause] >>Er, so, er before we get started we, er, just 00:00:21.588-->00:00:26.593 wanted to er, cover some, er, content advisory. Uhm, our goal with this talk is to, er, create 00:00:30.130-->00:00:36.069 an inclusive and, er, safe environment for us and you to learn more about, er, sex and 00:00:36.069-->00:00:41.141 technology and how they interact. Uhm, there are no sexually explicit, er, 00:00:41.141-->00:00:47.915 descriptions or images in this talk, er, and although we do mention, er, some legal aspects. 00:00:47.915-->00:00:53.153 And our focus is on the technology aspect, and, er, when you're talking to people after 00:00:53.153-->00:00:58.558 the talk, er, please ensure, if you are talking about things not related to technology, that you 00:00:58.558-->00:01:02.763 have their consent and that they're comfortable having that conversation with you first. 00:01:02.763-->00:01:07.034 >>Alright so, bluetooth. Uhm, it's in your phone, it's in your smart watch, your fitbit, your 00:01:07.034-->00:01:13.874 doorbell, your door lock, your, uhm, mouse, your keyboard...it's everywhere. Is this on? >>yip, 00:01:13.874-->00:01:19.846 yeah. I'd just stand there. >>Uhm, so bluetooth devices are everywhere: they're in your 00:01:19.846-->00:01:26.520 fitbit your phone, your laptop, your the lock on your door, your doorbell. They're everywhere and 00:01:26.520-->00:01:30.123 a lot of people aren't really aware of the security around this. So it makes sense that 00:01:30.123-->00:01:33.961 adult toys are going to have that technology too. Uh, generally bluetooth, internet 00:01:33.961-->00:01:39.399 connected devices are vibrators 'cause it's sort of the techy part, uhm, and increasingly 00:01:39.399-->00:01:43.003 they're becoming associated with mobile apps as well, so there's the internet connection through 00:01:43.003-->00:01:49.843 there. >>What could possibly go wrong with that? >>Sec-urity, more like like sex-urity, am I 00:01:49.843-->00:01:54.915 right? It's just a laugh, right? It's just like sex toys, like you know, who actually uses 00:01:54.915-->00:01:59.920 those anyway? >>So, er, a lot of people had that attitude, er, and one of the things we wanted 00:02:01.955-->00:02:06.860 to cover is what's actually at stake. Uhm, because it's all very well and good and well to 00:02:06.860-->00:02:10.630 make jokes about it, but as one, er, manufacturer talks about, they have over two million 00:02:10.630-->00:02:16.503 people using their devices. So, what's at stake is two million people, er, and, er, and that 00:02:16.503-->00:02:21.308 starts to become about: hey, this is about people, it's not just a joke. >>Uhm, and that's 00:02:21.308-->00:02:26.313 just one of the manufacturers Right, so the immediate thing is: What if you could... taken 00:02:28.648-->00:02:32.586 to someone's device and control their toy? You turn it on, you make it do whatever you want. 00:02:32.586-->00:02:37.657 That's sort of the immediate thing that comes to mind. >>And, er, a lot of, er, people in the 00:02:37.657-->00:02:41.695 past have sort of said: hey, this isn't really a serious issue ...a vibrator, it's just 00:02:41.695-->00:02:46.800 for fun. Uhm, but if you come to back to the fact that we are dealing with people here, then 00:02:46.800-->00:02:53.340 er, in fact, er, unlawful, er control of a device like a vibrator actually counts, er, 00:02:53.340-->00:02:59.112 potentially, as sexual assault, because it's unwanted sexual content. >>Uhm, there's not 00:02:59.112-->00:03:02.649 really much legal precedent for this kind of thing. cause in terms of remote controlling 00:03:02.649-->00:03:08.622 devices, uhm, so this definitely an interesting area. >>So there's a spectrum of, of what 00:03:08.622-->00:03:13.827 we call interim intimate devices, er, if you have someone who can control your lightbulb 00:03:13.827-->00:03:18.532 it's annoying, er, but it's not something that particularly intimate to you. But once you 00:03:18.532-->00:03:23.203 start moving into devices like vibrators, or at the far end, something that's, er, connected 00:03:23.203-->00:03:28.175 to your life like a heart - like a heart pacemaker, er, then you start to get a bigger picture of 00:03:28.175-->00:03:35.082 why the issue of, er, security in these areas is, er, particularly important. >>Uhm, 00:03:35.082-->00:03:38.785 so then moving on from the control. What happens if people can find out things about you 00:03:38.785-->00:03:42.722 using this? So, the very basic level: what happens if people can find out that you in 00:03:42.722-->00:03:47.828 possession of this device? Uhm, particularly, in certain places it's illegal to own a sex toy, 00:03:47.828-->00:03:52.833 uhm, and it is a criminal charge. Uhm, and in some places... there is a legal 00:03:54.868-->00:03:59.873 precedent of the possession of sex toys causing a legal charge. Uhm, yeah. >>And it's, er, not 00:04:04.177-->00:04:09.182 just overseas either. Uhm, in er, in the US, uhm,, Alabama is one state that's banned sex 00:04:11.618-->00:04:16.623 toys. There's a town in Georgia that does as well. Uhm, the situation in Texas is a little 00:04:16.623-->00:04:22.329 confused. Up and till very recently uhm, there was a ban in place. Uhm things we've seen has 00:04:22.329-->00:04:27.234 said it was declared unconstitutional, so doesn't apply, but it still appears in 00:04:27.234-->00:04:33.273 the, uh, code when we went to look at. >>Alright and then getting even into an even wider 00:04:33.273-->00:04:39.379 sense: what sort of information can a device like this generate about you? Uhm, so, there's all 00:04:39.379-->00:04:43.617 kinds of different data. There's your, uhm, temperature, your session information, there could 00:04:43.617-->00:04:47.320 be other potential senses. We just looked at one product in particular, but a whole lot of 00:04:47.320-->00:04:51.958 other senses generating all this personal information about you and a lot of apps have audio and 00:04:51.958-->00:04:58.632 video chat associated with that. >> So when we started out, uh, with this research, we were 00:04:58.632-->00:05:04.337 wondering: oh what are the potential exploits or vulnerabilities that a, a, third 00:05:04.337-->00:05:09.242 party hacker could take advantage of? But then we looked more closely, it actually turns 00:05:09.242-->00:05:14.281 out you might be more concerned about what the manufacturer's doing, and what they're doing 00:05:14.281-->00:05:19.286 with your data. So, this is the Standard Innovation Corporation and they're the manufacturer of 00:05:22.656-->00:05:29.396 the We- Vibe device that we looked at. And so: do you want these people looking at your, 00:05:29.396-->00:05:36.102 er, looking at your own, er. temperature data potentially, or, er, real time data as you 00:05:36.102-->00:05:42.709 use the device about what patterns you like or what, uhm, intensity you like? >>And what 00:05:42.709-->00:05:47.747 are, what are the implications of who they're gonna to give that data to. Uhm, I mean, these 00:05:47.747-->00:05:52.986 companies say that they, they claim that they are very concern-they keep that secure 00:05:52.986-->00:05:59.292 and secure about their privacy, uhm but if we look in their policy, we can say, see that 00:05:59.292-->00:06:02.729 they say that "we reserve the right to disclose your personally identifiable," that's 00:06:02.729-->00:06:08.168 your name with your information,"if required to bide the law". Uhm, and there's a bit 00:06:08.168-->00:06:13.039 of, not much clarity about what if nots required by the law, but they have other reasons to, so 00:06:13.039-->00:06:18.311 that's a little bit dodgy. >>And so one of the things is that people can make the argument: 00:06:18.311-->00:06:23.183 well, you know, usage data collection is just the standard part of mobile apps these days. 00:06:23.183-->00:06:29.556 And we wanna question that assumption and say: you know if you are making devices that are, 00:06:29.556-->00:06:34.194 uhm, controlled by mobile apps that of a more intimate nature, maybe you should consider 00:06:34.194-->00:06:38.064 whether you should be collecting that information in the first place. Because if the 00:06:38.064-->00:06:42.736 information isn't collected, then it's not vulnerable to either security releases or 00:06:42.736-->00:06:49.175 legal enforcement, uh, of releasive data. >> Uhm, so this is the specific product that we 00:06:49.175-->00:06:54.180 looked into and had the hardware for. It's wearable so you can wear it under your clothes. It 00:06:56.549-->00:07:02.022 can be controlled either with a remote or with... [unintelligible] and has two 00:07:02.022-->00:07:06.826 mirrors and so it's bluetooth connected to your phone or the remote. >>And what do you know? 00:07:06.826-->00:07:12.265 It turns out this device does send information back to the manufacturer. Uhm, so the 00:07:12.265-->00:07:18.004 temperature data comes from, as we understand it, a thermostat inside the device itself seems 00:07:18.004-->00:07:24.911 to be related to monitoring the temperature of the motor but we also determined it's affected 00:07:24.911-->00:07:30.417 by, uhm, like contact with the human body. So, at a minimum you can determine, er, if probably 00:07:30.417-->00:07:34.854 whether or not a device is in use even if it's not actually active. Uhm, so this is sent 00:07:34.854-->00:07:41.561 once per minute and the modem tends to read data, er, which is the pattern you're in and how 00:07:41.561-->00:07:47.100 strong it is, is a real time event. And so the manufacturers currently are collecting real 00:07:47.100-->00:07:54.007 time data on how, er, all their customers are using their devices. >>Uhm, so if you're 00:07:54.007-->00:07:57.977 using this specific device, what are the things you can you do to avoid this? You can use it as a 00:07:57.977-->00:08:01.815 "dumb vibe", it has one control button on it. You can use a remote control which isn't 00:08:01.815-->00:08:06.319 sending data, you can use the app if you're not connected to the internet in any way. Uhm, 00:08:06.319-->00:08:11.658 even if you're, if you're communicating using that device with a partner over the internet 00:08:11.658-->00:08:15.261 it's automatically sending data. But even if you are not doing that, if you are connected to 00:08:15.261-->00:08:20.266 the internet, it is sending data. Or you can block access using a firewall. Uhm, or you 00:08:22.268-->00:08:26.673 can use this tool we've made, using web bluetooth. We've made the Weevil Connect which has 00:08:26.673-->00:08:33.012 basic functionality to use the Vibe directly from your phone browser on your phone. >>And so 00:08:33.012-->00:08:38.418 you can either use a hosted version of Weevil Connect or you can,ah, also run it locally. And 00:08:38.418-->00:08:43.390 all web bluetooth connections have to be over an SSL connection. Er, and so, we can't 00:08:43.390-->00:08:49.462 promise you that we aren't doing something nefarious, but you can at least check out the code and 00:08:49.462-->00:08:54.234 see. But this is, er, that's approaching the solution technological end. Uhm, we're 00:08:54.234-->00:09:00.807 also wanting to approach it from, er, the wider, er, societal end as well, er, and so 00:09:00.807-->00:09:05.045 in light of that, we're announcing the private player chord. And so the goal with the 00:09:05.045-->00:09:09.682 private player chord, is pro- protect the privacy of people who are using devices like 00:09:09.682-->00:09:14.521 these. Er, we wanna promote transparency from the manufacturers about the data 00:09:14.521-->00:09:18.958 that they can co-collect so that people can make informed buying choices. And that the 00:09:18.958-->00:09:23.863 manufacturers that do treat, uhm, the privacy and security o of people intimate data 00:09:23.863-->00:09:30.537 seriously, people can choose to, er, to, to make those, er, purchase choices with that 00:09:30.537-->00:09:36.709 knowledge. >>Er, er, so at the moment, we've just recently contacted manufacturers and we 00:09:36.709-->00:09:40.180 have, er, some, er, questions asked there, and we gonna have that on the website that we 00:09:40.180-->00:09:43.983 going to host for that. >>And, er, along with that, we've come up with a draft rating system 00:09:43.983-->00:09:50.957 for particular products, uhm where, you can get at-a-glance view of, of, er, their approach, 00:09:50.957-->00:09:55.962 whether they click data or not, whether it's often or not. And you can help by using some of 00:09:58.064-->00:10:02.836 the tools and techniques we are gonna to use later by investigating other devices and, 00:10:02.836-->00:10:08.741 uhm, reporting your findings on that data that they find. >>Er, okay, so that's the 00:10:08.741-->00:10:12.579 implications. Now how did we get there? What did we do to reverse engineer this? So, there's, 00:10:12.579-->00:10:16.583 er...these are some of the things we did, tools we used - that you can use too, and of 00:10:16.583-->00:10:22.655 course the to- the Weevil tools that we made. >>Er, Goldfisk, what about the people sitting in 00:10:22.655-->00:10:26.726 the audience who say "I don't know anything about reverse engineering, I could never do 00:10:26.726-->00:10:30.897 this."? >>Well, that's fine because I didn't know nothing about reverse engineering. Uhm, 00:10:30.897-->00:10:34.767 there's a lot of, basically there's just a lot of playing with things, looking around 00:10:34.767-->00:10:39.939 seeing what you can find. A lot of things we just stumbled on to by accident. >>So, yeah, 00:10:39.939-->00:10:45.111 curiosity is definitely, er, your most useful, ah, tool when it comes to reverse engineering. 00:10:45.111-->00:10:51.217 So we generally start with one - with three questions: er: What does the device do? How does it 00:10:51.217-->00:10:56.990 do it? And then: How can we control it once we know that information? >>Uhm, so again 00:10:56.990-->00:11:00.894 this is the We-Vibe 4 plus. We had the hardware for this, but you don't actually need the 00:11:00.894-->00:11:04.464 hardware of a device to do internet of things reverse engineering. You can whole lot 00:11:04.464-->00:11:10.403 from what's already on the internet. Er, so this is the We-Connect, this is their mobile 00:11:10.403-->00:11:15.408 app that comes with it, that you can control your device from. >>So, when your, er, connected 00:11:17.744-->00:11:23.583 with a, er, partner, there's the bluetooth link between the vibe and your phone. Er, 00:11:23.583-->00:11:29.756 interestingly enough, there's not, er, a lot of reliability, a lot of reliability in, uhm, 00:11:29.756-->00:11:34.127 bluetooth LE connections in these devices because it turns out humans make excellent Farady 00:11:34.127-->00:11:39.132 cages. So you have connections from the phone going to the, er, server, to the manufacturer and 00:11:44.137-->00:11:50.677 then back out to the phone of your partner. And the finding the statistics of the API 00:11:50.677-->00:11:56.549 information which was what's reporting back the temperature and other information, we found 00:11:56.549-->00:12:01.487 using an MIT enproxy tool which performs, enables you to have a man-in-the-middle view between 00:12:03.957-->00:12:08.962 the app and the, er, back-end server. Er, now if you're familiar with Pokemon-Go, er, 00:12:11.030-->00:12:15.668 they had the same issue that this manufacturer has, which they didn't implement 00:12:15.668-->00:12:19.305 "certificate pending" and if they had, that would have made it, er, more difficult to 00:12:19.305-->00:12:24.310 impersonate the back-end server. >>Alright, so, first approach we can take is: hardware. >>The, 00:12:27.714-->00:12:32.719 er, any device that's sold in the US that, er, transmits, er, radio frequency, er, is required 00:12:34.988-->00:12:41.160 to be registered with the FCC to be sold and other jurisdictions other, uhm, certification boards 00:12:41.160-->00:12:45.898 are there. And part of the process is: you have to submit a bunch of documents describing 00:12:45.898-->00:12:51.638 how your device works. And, it includes, er, internal photographs which sometimes are 00:12:51.638-->00:12:56.643 really terrible and sometimes actually quite useful. >>So, the one on the, the one on the right 00:12:56.643-->00:13:01.214 is the board from inside of the Vibe and the one on the left is from inside the remote. >>And 00:13:01.214-->00:13:05.551 so, from looking at this, we discovered that they use Texas instrument chip. And it's a 00:13:05.551-->00:13:11.157 really old architecture: 8 -0-51 which is often used in really cheap, er, control situations, 00:13:11.157-->00:13:16.929 and have bluetooth stack associated with that. Uhm, the, er, compiler that you need to 00:13:16.929-->00:13:21.934 use is a mere $3000, er, although there is some, er, effort with FCC to support the 00:13:24.337-->00:13:29.642 bluetooth stack, er, and the, er, chip. Er, there is some evidence that there is potential 00:13:29.642-->00:13:35.081 over the air firmware updates, because there's strings in the app about it, but there was no 00:13:35.081-->00:13:38.951 functionaliy that we identified in the app that we could perform over the air updates at this 00:13:38.951-->00:13:43.956 stage. Of course, the FCC doesn't, er, show and share every document they receive to 00:13:46.292-->00:13:51.664 the public. It's possible for a manufacturer to say: "Hey, we'd like you to keep this, er, 00:13:51.664-->00:13:56.669 confidential." Uhm, but sometimes the FCC makes mistakes and er, so we discovered that in 00:13:59.472-->00:14:04.744 a later model, er, the certification, the request to keep this document confidential, 00:14:04.744-->00:14:09.449 somehow slipped through. So, if you're looking for advice, definitely check out the FCC's 00:14:09.449-->00:14:15.188 site for the documents you're supposed to have and sometimes you might get a bonus too. Oh, 00:14:15.188-->00:14:18.991 yeah, and don't do drugs, because if you have a drug conviction, er, FCC 00:14:18.991-->00:14:23.896 certification is considered a federal benefit, and so you can't get a certification. 00:14:23.896-->00:14:28.201 >>Okay what else can you actually do without having this device? You can look on the 00:14:28.201-->00:14:30.269 internet. Other people have taken apart. They are very expensive devices so you don't 00:14:30.269-->00:14:34.607 have to. This is a Reddit account associated with another manufacturer who do really 00:14:34.607-->00:14:39.312 interesting TED hours of adult toys, uhm you can see the two motors in the board and the, er, 00:14:39.312-->00:14:45.251 battery in there. Er, and this is our remote, it was more disposable, so we took that 00:14:45.251-->00:14:51.057 apart and had look to see inside. Uh, so we know now from the chip and specifications that 00:14:51.057-->00:14:54.594 this device is controlled with bluetooth low energy, or Bluetooth smart, so how can we 00:14:54.594-->00:14:58.698 communicate with that? Er, the great thing about bluetooth low energy is that they've set a 00:14:58.698-->00:15:04.637 standard profile, so we can, that means, that we can interact with the device through, in, in 00:15:04.637-->00:15:09.642 standard way, by interacting with the standard profiles so that we have each peripheral 00:15:11.844-->00:15:16.349 device with the centralised, mobile seriest of services, uhm some are standard like battery 00:15:16.349-->00:15:21.387 level, but some, uhm, specified by the person making it, and whether those have 00:15:21.387-->00:15:26.926 characteristics you can use to read or write back to the device. Uhm, so we used an app 00:15:26.926-->00:15:31.097 called Nordic Connect. This is just on our mobile device and didn't have any extra hardware 00:15:31.097-->00:15:35.501 or anything we can open it up and connect. This is the We-Vibe 4 plus which for some 00:15:35.501-->00:15:42.341 inexplicable reason is named Cougar. [inaudible question] Yes, all of them. Uhm, but none 00:15:42.341-->00:15:47.880 of the other devices. Just the 4 plus for some reason. Uhm, so we find here at the bottom, some 00:15:47.880-->00:15:51.717 generic differences and then at the bottom unknown service which then you can see has two unknown 00:15:51.717-->00:15:56.622 characteristics, uhm we find out later that one of them is the control and one of them is the 00:15:56.622-->00:16:02.128 status characteristic. >>Hey, Goldfisk, we should like, er, try sending some data to that, 00:16:02.128-->00:16:06.833 er, device now that we know certain characteristics. But how will we know what data to send? 00:16:06.833-->00:16:10.503 >>I don't know. That's really weird, I mean we could just send random data, but that would take 00:16:10.503-->00:16:15.808 a very long time. So, what we can do, we can take, er, why either you can use 00:16:15.808-->00:16:20.813 man-in-the-middle to find out what that new device is sending. Or one could use android logs 00:16:20.813-->00:16:25.184 to, uhm, find out what's been sent over, oh no sorry, bluetooth sniffing to find out 00:16:25.184-->00:16:29.388 what's sent between either the remote and the device or your mobile thing and the device, uhm 00:16:29.388-->00:16:35.194 or there's some android login functionality set up by sent. But the approach that we took 00:16:35.194-->00:16:40.233 was: getting an APK format that android apps are distributed in. We're just looking at android. 00:16:40.233-->00:16:46.072 Uhm, so you can get and decompile that and look what's inside. Uh, so, this is what we 00:16:46.072-->00:16:51.277 found. Sync pulse command has an integer array that looks suspiciously like someone could 00:16:51.277-->00:16:56.515 send over bluetooth. And, if we send it over bluetooth, what happens is it vibrates three 00:16:56.515-->00:17:00.486 times. So this is awesome because we know we've communicated with the device in 00:17:00.486-->00:17:04.290 a functional way we've actually talked to it and know what we want. Now we just have to figure 00:17:04.290-->00:17:09.128 out how to do that how can we do that better? And how can we do interesting things with that? 00:17:09.128-->00:17:15.401 >>So it turned out that, er, the data that's transmitted is always eight bytes long. Uh, and 00:17:15.401-->00:17:19.939 the first byte determines what the command is and so there's a variety of different commands, 00:17:19.939-->00:17:25.545 that er, the Vibe obeys. Now obviously we could stick with using a generic app, and the 00:17:25.545-->00:17:29.949 Nordic app is pretty cool she saves values to send back and stuff like that. But we also 00:17:29.949-->00:17:35.555 wanted to create er, some software that would run, er, on [inaudible] dot machine. So we 00:17:35.555-->00:17:40.226 discovered that node has the best Bluetooth LE's support, I guess it's the new hotness or 00:17:40.226-->00:17:45.965 something? So, we used a library called Noble for controlling the device. >>And, er, there's no 00:17:45.965-->00:17:52.638 library that you can Bluetooth the device so you can simulate the device on your, uhm, on your 00:17:52.638-->00:17:57.610 laptop and connect t it with your mobile device or your- for the remote it's slightly 00:17:57.610-->00:18:00.646 different, and there's some things going on there so you'll connect to it and it thinks it's 00:18:00.646-->00:18:06.252 the device. >>So that meant that we could, er, have a connection with the app and then every time 00:18:06.252-->00:18:10.990 you press the button or use some functionality in the app, it would send the data to what it 00:18:10.990-->00:18:16.696 thought was a device, and we could see , er, what the device was , er, expecting to receive. 00:18:16.696-->00:18:21.133 So, we could then that ourselves. >>Uhm, so that was great and we got some great 00:18:21.133-->00:18:24.870 things. We found out how to get the information like the temperature, the modes, the 00:18:24.870-->00:18:29.375 intensities but we were like: How can we make this better? How can we make this you can have on 00:18:29.375-->00:18:33.613 your mobile device that has a user friendly interface? Uhm, so we went with web buetooth. You 00:18:33.613-->00:18:38.684 don't need an app for it, just uhm, it's in development for chrome, uhm, we still, we're not 00:18:38.684-->00:18:44.123 quite sure around everything at the moment. But this is what we went for as a start for 00:18:44.123-->00:18:47.760 re-implementing the functionality ourselves, without needing any of the standard 00:18:47.760-->00:18:54.600 innovations, er, software. >>And so Weevil Connect is part of a suite of tools, er, the Weevil 00:18:54.600-->00:19:00.439 suite of tools that which allows yout to interact with We-Vibe devices. Uhm, one. There was a 00:19:00.439-->00:19:05.711 really interesting, er, or useful website, which was a team play generator for webbed 00:19:05.711-->00:19:10.649 Bluetooth er, software development. So you can basically say: this is the 00:19:10.649-->00:19:14.754 service we want to interact with, this is the characteristic we wanna interact with and it'll 00:19:14.754-->00:19:19.925 generate, generate a, uhm, a class that has all the boiler plate stuff that you can then 00:19:19.925-->00:19:25.965 just say: send this sequence bytes to this characteristic. Er, now we learnt some other 00:19:25.965-->00:19:31.771 things along the way which were, er, the in-invitation. >>We learnt about invitations, uhm 00:19:31.771-->00:19:38.444 >>They don't expire. >>There's weird stuff going on that don't expire, uhm other stuff we 00:19:38.444-->00:19:43.215 release, we were gonna release it, release this, uhm, for you to use. Lots of different things 00:19:43.215-->00:19:48.087 in there. Have a look. There's other cool things, other cool things going on playchord.com. 00:19:48.087-->00:19:52.558 find us at rancidbacon and g0 ldfisk with a zero and a K. Uh, yeah, we'll put that all that 00:19:52.558-->00:19:57.563 up. That'll be up in the next day or so, er, thank you so much for having us here. [applause]