Four Unnamed Sources

Or: If a pipeline explodes in the desert and there is no one there to hear it was it really a cyberwar attack?

No one questions the importance of keeping abreast of current trends and developments with regards to information security. Whether it is new malware techniques, attack vectors or just the motivation of some attackers. That means looking into the details of the Target and Sony breaches, checking out the specifics of Heartbleed and Poodle, and keeping abreast of the latest patches from Microsoft and other vendors. It also means trying to separate the facts from the fear, uncertainty, and doubt used to generate page views.

One recent story has me questioning if a pipeline explosion in Turkey was actually in fact an early example of cyberwar. The article claims that a large explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline, near the Eastern Turkish city of Erzincan on Aug. 7, 2008 was in fact a cyber attack. The article attempts to downplay claims of the Turkish government who said the explosion was caused by a malfunction, as well as discounting the claims of the Kurdistan Worker’s Party who claimed credit for the explosion despite the groups history of blowing up pipelines. Of course there was also a statement by the Botas International Ltd. company which operates the pipeline which said that the pipeline’s computers systems had not been tampered with.

The explosion occurred two years before Stuxnet and while I doubt Stuxnet was the first operation of its kind the evidence to support a similar type of attack on this pipeline is mostly circumstantial at best. Even if this was a cyber attack it would not “rewrite the history of cyberwar,” as one expert quoted in the article claimed. It would just add one more data point to an already interesting history. Unfortunately the article does not give any proof that this was in fact a cyber attack.

Certainly the article lists plenty of circumstantial evidence to support the theory of a cyber attack to blow up the pipeline but the actual proof comes down to “four people familiar with the incident who asked not to be identified.” Obviously in some cases journalists must rely on unidentifiable sources however usually when they must do so the information provided is corroborated by other authoritative and named sources. That is not the case here. All of the named quotes in the article are speaking in general terms, adding background if you will, and are not speaking directly to this event.

Pipeline and cyber attacks have a long history in and of themselves that goes back at least as far as 1982 when the CIA convinced a Canadian company to deliberately put flaws into pipeline control software that was then sold to the Soviet Union. This reportedly led to a massive explosion along the pipeline in June of that year. This story also has its detractors, some saying the explosion was caused by poor construction and others saying it was flawed turbines and not flawed software that caused the Siberian explosion.

There was also a confidential report released by DHS in early 2013 claiming that key personnel in 23 different gas pipeline companies had been targeted by Chinese hackers with spear phishing attacks. And lets not forget the plot of the movie DieHard 4 where the evil hacker bad guy is able to redirect all the natural gas in the pipelines to converge on a power station causing a massive Die Hardesque explosion.

One really has to ask themselves why would anyone go to such great lengths to disrupt a pipeline when a simple misplaced cigarette butt can cause a massive explosion like what happened in Kenya in 2011 killing over 100 people. Stuxnet is thought to have required numerous teams of coders working for several months to create the software to disable the centrifuges at Natanz, a task that arguably could be accomplished in no other way. There are a lot more efficient ways to blow up a pipeline than to expend months of effort and untold dollars to accomplish what a small team and some explosives could do just as well if not even more efficiently.

So was the explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline an early act of cyberwar potentially setting back the clock on the earliest known cyber operation of this size? Sure, its possible, but without additional facts from someone other than an ‘unnamed source familiar with the incident who asked not to be identified” I will have my doubts. Until those facts are presented I’ll go back to reading my Microsoft Patch Tuesday reports.

All of this has happened before and all of this will happen again

Two teenagers in Winnipeg Canada somehow got the idea to see if the default password on a Bank of Montreal ATM machine was still valid. The got the default password after finding the operators manual for the ATM online. As is often the case the default had not ben changed and was still valid. Instead of taking all the money they could carry and running away the kids instead went to the bank to let them know. Of course being fourteen-year-old kids they went to their local branch, and where, being fourteen-year-old kids, no one believed them. The kids had to go back to the ATM and get it to print out stats like how much money was still in the ATM before the bank branch manager believed them enough to notify the banks security department.

There are a lot of things that can be learned from this story, or actually should have already been known. If these kids had tried this in the United States, despite their good intentions, they may have been charged with a violation of the CFAA (Computer Fraud and Abuse Act). If the bank manager had not been so understanding I am sure they could have been charged with the Canadian equivalent. Testing for default passwords on bank owned ATMs is probably not the smartest way to utilize your free time.

The branch manager should have taken the allegation seriously the first time, regardless of how old the people with the information were. Instead the branch manager evidently told the kids that what they initially reported was impossible. This shows a serious lack of security awareness training for Bank of Montreal employees.

What about the bank itself? Why did the Bank of Montreal leave a default six-digit password on an ATM machine? It is unlikely that only one machine out of several hundred ATMs was configured with the default password. I hope BMO gets around to changing all those defaults before someone is able to make off with the cash.

The worst part about this story I think is that all of this has happened before. A lot of people have heard about the presentation at the Blackhat conference in 2010 by the late great Barnaby Jack where he made an ATM spit out money on stage. That was sort of sensational and required access to the back of the machine. But what about the arrest of two people in Lincoln, Nebraska in 2008 when they used default passcodes to steal money from an ATM? Or the thefts in Derry, PA in 2007 from Triton 9100 model ATM after the default passcodes were found online? Or again in Virginia Beach, VA in 2006, this time using default passcodes in the Tranax 1500 also found online in the operators manuals.

So in this one story we have default passcodes that aren’t changed, people who do not take security alerts seriously, people not learning from history and the possibility of innocent kids running afoul of the law. Of course all of this has happened before and unfortunately all of this will happen again.

Everybody must get stoned

Apparently FBI Director James Comey thinks that everyone in the Information Security Industry is a dope-smoking pothead who gets high just before an interview. “I have to hire a great work force to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview,” James Comey was quoted as saying.

Of course two days later, after basically insulting most of the Information Security Industry by calling them all stoners Director Comey said his comments shouldn’t be taken seriously and that he was only trying to inject some humor.

Currently the FBI says that anyone who has used marijuana in the last three years is “not suitable for employment”. In addition you cannot have used other illegal drugs for the previous ten years. So the FBI has already recognized that marijuana is different from other ‘hard’ drugs and now they may be thinking about relaxing those standards even further. Considering that there are twenty-one states where marijuana for medical use is perfectly OK, and two states, Colorado and Washington, where marijuana is legal for recreational use it makes sense for the agency to revisit its anti-drug policy. However, specifically singling out one specific group such as Information Security professionals may not be the best way to attract applicants.

If the FBI wants to review its marijuana policy in light of the recent relaxation of laws in some states for all potential applicants regardless of job function, well that’s great. The overall sentiment towards soft drugs like marijuana is changing and employers, including the FBI, should adjust to that sentiment at the same rate as society. However, to relax standards for just one specific job type sends the wrong message.

The FBI has open head count for over two thousand recruits this year, most of those will be assigned to cyber crime units. The FBI like every other employer in the security industry is having a difficult time attracting qualified applicants for those positions. The US Army has said in the past that it wants to relax physical fitness standards for cyber warriors Relaxing standards for those applicants, as I have argued before, is not the best way to get qualified candidates and sends the wrong message to applicants or current employees who met the old standards.

This is a simple economics question of supply and demand. When the demand is high and the supply is low the price, or in this case the salary, must go up. Artificially increasing the supply by lowering standards helps no one. If the FBI wants to lower standards to increase the pool of applicants how about it take a look at some of the other things that will automatically disqualify job candidates for employment with the FBI. If you failed to register for the selective service, guess what? No FBI job for you, same with defaulting on a government insured student loan. I have to think that the number of qualified candidate who have defaulted on a student loan and or did not register with the Selective Service is probably several times greater than those who light up a joint just before an interview. If the FBI is serious about increasing its applicant pool perhaps it should reexamine those restrictions as well.

The FBI and other government agencies have a lot of strikes against them when attempting to attract highly qualified applicants. Things like a strict dress code, initial assignments to small offices, and government bureaucracy don’t help at all. However, the FBI does have things that other employers can’t offer like an amazing benefits package, stable employment that isn’t subject to market forces and of course the fact that they are the government. There is a distinct subset of people that look at employment in the government and in law enforcement as an attractive option. Perhaps the FBI and other agencies should play up these strengths when recruiting as opposed to reducing standards.

But seriously are people really getting high before interviews, especially at the FBI, as Director Comey even humorously suggests? If someone showed up drunk to an interview I wouldn’t hire them either, let alone if they were stoned out of their mind. I am sure there is some drug use in the Information Security Industry just like there is with the rest of the population but to suggest that infosec people are a bunch of reefer toking stoners who are getting high so much they can’t sober up enough for an interview tells me they aren’t very familiar with the industry they are trying to recruit from.

Is it time for an industry wide MAPP program?

As you might suspect, the bad guys have much better exploit notification than the good guys. While there is no central repository of vulnerability information that is only released to the good guys, Microsoft does an excellent job with early notification of its vulnerability information via its MAPP (Microsoft Active Protections Program). Should there be something similar setup for all security bugs on an industry wide basis?

On the surface it sounds like a great idea. Information about critical bugs like HeartBleed could be shared with trusted and vetted members early before the information was made publicly available and the bad guys could take advantage of it. This gives those trusted members time to fix the problem before the bad guys could develop new attacks and take advantage of the flaws.

This is how MAPP works. Microsoft has very strict guidelines on who can and cannot be included in the program and if you are found to be leaking information before the specified release date you are ejected from the program. Microsoft historically only granted a few days notice to its trusted MAPP partners of the upcoming Patch Tuesday bugs but have recently expanded this length of time to give vendors more time to develop protections for their products before the bad guys can reverse engineer the patches and develop exploits for those bugs.

This all works for Microsoft because they are in control of their information, the number of members in MAPP is kept small and each much conform to strict guidelines to protect the information Microsoft provides. But on an industry-wide scale this model falls apart. A prime example of the chaos that can surround a critical bug disclosure is the mess surrounding the disclosure of the HeartBleed bug. If you look at the timeline composed by the Sidney Morning Herald it is evident that attempting to keep the disclosure process simple and organized on an industry wide level is anything but simple. The process is fraught with non-disclosure agreements, employee leaks and covert secrecy, definitely not a process that should be trusted with critical software vulnerabilities.

The first issue of an industry wide MAPP style program would be who would run it? Is this a task for the US government? What about bugs found outside the United States? How would you keep the NSA or other agencies from attempting to horde a critical flaw and add it to their weapons stockpile? While an independent international third party could run such a program how would it be funded? You could charge a fee to trusted members but then you introduce the possibility of someone buying their way in even though they shouldn’t be trusted. Not to mention the ethical debate that would arise from ‘selling’ vulnerability information.

Then there is the matter of deciding who can be trusted with handling such information early. As with any secret the more people you tell the harder it is to keep secret and as a the heartbleed timeline shows some people may leak information to their friends and employers or bad guys before a public announcement. Membership should be limited to prevent the circle from getting to large but who decides who is in and who isn’t?

Of course all this completely ignores the actions of the rogue researcher who is free to do whatever they want with their research. There is nothing stopping them from publishing such information publicly, telling a small group of people, selling it to the highest bidder or hording it for their own uses and telling no one.

An industry wide MAPP program sounds good at first but due to governance issues, international politics, and of course money, it would be difficult to keep together, keep the information out of the hands of the bad guys, and probably just create way to much drama and infighting inside the industry. Even if you were able to solve all those problems there will still be the one person who decides they don’t want to play by the rules and will do what they want.

A Psycho Analysis of Jericho

The epic box-o-shit. I don’t know where the tradition started but it has been perfected by Jericho of Attrition.org. Beginning at least five years ago Jericho has boxed up the chotskies, leftover guinea pig fur, random bits of useless tech and whatever else he happened to have laying around and shipped them off to whoever he felt was most deserving, or whoever he felt would make the best victim. I had been waiting in anticipation (actually it was down right fear) until I received what I almost knew was coming, but it never did.

About a year ago I was at a local flea market when I spied at the bottom of a box of random crap a glass squirrel approximately eight inches high. It was depression era pressed glass, speckled with random paint drops, a few chips in the glass and a rather nasty piece of sticky green felt glued to the bottom. Somehow this disgusting piece of glass made me think of Jericho. I figured the squirrel needed a better home than the bottom of some random box full of shit. It needed to become the centerpiece of highly selected box-o-shit. I figured it was time to put my box-o-shit destiny into my own hands, time to tempt fate, time to poke the angry guinea pig with a carrot.

Glass Squirrel

The guy at the flea market wanted $20 for the squirrel with the paint spots, chipped glass and nasty sticky felt on the bottom. Not really sure what he was thinking but I managed to talk him down to $8. I took the squirrel home, scrubbed off the paint drops and the nasty felt. There wasn’t much I could do for the chips in the tail though. By now it didn’t look to bad and I was wondering if maybe I should keep it for myself, that jerk Jericho definitely did not deserve anything half as nice as this.

Instead of using shipping peanuts or those bags of air or even crushed newspapers, I instead grabbed every chotsky, random bits of useless tech and whatever else I happened to have laying around and used that for packing material. Unfortunately I was fresh out of leftover guinea pig fur.

It took Jericho three months before he even acknowledged receiving the box but he eventually wrote it up. And then I waited. I waited for the inevitable retaliation that was sure to come my way. I knew Jericho wouldn’t just let an eight-inch tall glass squirrel arrive unsolicited in the mail and do nothing about it. But I waited, Spring turned to Summer and every trip to the mailbox filled me with more and more dread, when would he strike? When would he put and end to this torture? Why oh why did I ever decide to send that jerk anything at all? I should have kept that squirrel for myself or better yet let it sit and rot in the bottom of that box of random shit at the flea market.

Finally after nearly a year of self imposed torture, of opening the mailbox each day in anticipatory fear, it arrived, a small unassuming brown box. I immediately knew right away what it was and where it was from. On the one hand I was relieved that my torment was over, but I knew I still had to open the box, I still had to pour through the contents of whatever wretched debauchery Jericho’s twisted mind decided to send me. It has taken me a while; months actually, to get up the courage to finally pull back the packing tape to reveal the contents of Jericho’s box-o-shit.

box

What I realized as I went through the contents of the box was that it wasn’t about me, it wasn’t about revenge for a glass squirrel. This box-o-shit and maybe all boxes-o-shit are glimpses into the deranged mind that is Jericho. Perhaps even a desperate cry for help that echoes from the basement he must live in deep inside the Rocky Mountains.

As you can see on the top of the box was a plastic baggy full of multi colored paper with two stick-on eye balls and labeled with the word ‘puzzle’. Obviously this is a symbol of a cracked and fractured psyche symbolized by the many pieces of different color paper cut up into small sizes. Obviously Jericho is crying out for someone to put his poor soul back together again.

open box

Beneath the puzzle was a collection of magazine subscription cards, which at first glance might seem like nothing more than filler for the box. However, after sorting the cards and conducting a frequency analysis on the represented publications it is clear that these cards are yet another look into at the enigma that is Jericho. While it is well known that Jericho is at or below average intelligence he considers himself to be of above average intelligence. This is indicated by the large number of subscription cards to Discover and Science Today magazine. The subscription cards to Men’s Health and Psychology Today indicate that he knows that he has a problem and is looking for some sort of solution, which he hopes to find by reading these magazines. While he considers himself to technologically knowledgeable and therefore reads Wired magazine the fact that he is still subscribing to dead tree publications shows that he is in fact a Luddite. Of course anyone as mentally instable as Jericho will have deep-seated sexual frustrations as indicated by the subscriptions to Penthouse and Maxim, as well as the included Durex condom found elsewhere in the box.

cards

And while we already have enough information to determine that Jericho needs major professional help there is yet more supporting evidence within the box. A collection of Pimm’s Cup and several tequila bottle caps shows his attempts at self-medication through alcohol. The collection of self-promoting stickers shows a predilection to narcissism and the random keys, rocks, candy and fur balls shows just how schizophrenic he actually is. The collection of dinosaurs is obviously a link to his still present infantilism.

tequila

stickers

dino

Unfortunately I only do psycho analysis and perpetrator profiling as a hobby, as such there are still a few items in this box-o-shit that I have been unable to apply towards the subject Jericho. A Honda emblem? A Slinky Jr? An Elevation of privilege card game? And who inside the United States under the age of sixty has a copy of a Susan Boyle CD? (I guess I do now.) I am sure with proper analysis these items will also provide valuable insight into the deranged and demented mind of Jericho.

Susan Boyle

demented yellow squirrel

Then They Came For Me…

First they came for Jackson,
and I didn’t speak out because I didn’t play D&D.

Then they came for Neidorf,
and I didn’t speak out because I trusted the phone company.

Then they came for Mitnick,
and I didn’t speak out because I thought the government was telling the truth.

Then they came for Watt,
and I didn’t speak up because I believed the prosecution.

Then they came for Swartz,
and I didn’t speak out because I never used JSTOR.

Then they came for me,
and there was no one left to speak for me.

Anatomy of Hype

Lets see if I can break this down chronologically.

On July 12, 2012 a third party marketing firm hired by Verizon had a large database of Verizon user information ‘copied’. Verizon claims the incident was reported to authorities but no breach actually happened.

This statement from Verizon raises several questions. 1. Why did a 3rd party marketing firm have possession of this data which contained much more than just names and addresses. 2. How exactly was the data copied and 3. If there was no breach why were the authorities involved?

On Friday December 21st a twitter user with the handle @TibitXimer (since removed) posts to Twitter and Pastebin that he was in possession of 3 million leaked accounts including plaintext passwords of Verizon Wireless customers. ZDNet publishes an ‘exclusive’ Exclusive: Hacker nabs 3m Verizon customer records (title has since been changed) covering the supposed breach. Of course the original story had no comment from Verizon or any verification of the data.

With a little digging around I find the link to the original Pastebin post by @TibitXimer and his link to the data. A link that goes to a pay for download site. I thought that was a little odd and wasn’t about to pay to download a breach database. After making a few posts to Twitter I got a sample of the data.

I could tell right away that it was not Verizon Wireless data and it looked to me like possibly Verizon FiOS data. I also did not see any passwords, plaintext or otherwise. After sharing the data with some other security people we decided pretty quickly amongst ourselves that the data was very similar to some other data that had been floating around the net for a few months.

After attempting to get a response from @TibitXimer via twitter to confirm this new information his twitter account, pastebin link and download link all quickly disappeared.

By Saturday December 22nd Forbes writes an article Verizon Denies Hacker Leaked 300,000 Customers’ Data-UPDATE with an actual update from Verizon. ZDNet does not bother to update their article until 8:00PM EST that evening with nothing but a one-sentence denial from Verizon.

On Sunday December 23rd The Next Web seems to put all the pieces together After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm and examines the
Verizon statement, the now disappeared @TibitXimer twitter feed and the statements from security professionals on the veracity of the data.

It is pretty obvious at this point that ZDNet has been trolled; while the results were spectacular (from a troll point of view) the troll itself was not very complicated or sophisticated. Now on Wednesday December 26th the original ZDNet story still stands with a one-sentence disclaimer from Verizon and a brief mention that the pastebin link no longer works. However, the still posted story makes no mention of the incorrectness of the data, its original source, its apparent age, the disappearance of the original poster and still alludes that this is a new Verizon breech.

I reached out to Charlie Osborne @ZDNetCharlie, the first name on the byline of the story, and asked if the story would be updated. She said that despite being listed first on the story she was not the lead contributor and therefore had no way to make edits. I’m not really sure I understand this, if my name was on the story I would want to make sure it was correct and would be calling my editor immediately even if it meant waking him up. I guess some people don’t care what their name gets attached to.

I shouldn’t be surprised at this as ZDnet has gotten rid of or lost all of their seasoned reporters. Charlie Osborne seems to have only recently begun writing technology after graduating with a medical anthropology degree. Zack Whittaker, who I presume is the lead contributor to the story hasn’t responded to my tweets asking for an update. He to has only recently started his writing career and it would appear that most of his stories lately have been centered on smartphones.

While I understand that new reporters need to start somewhere I would hope that ZDNet would have seasoned editors in place that would force fact checking, verification and confirmation of a story before publishing. Leaving a story such as this to fester on their website reflects poorly not just on ZDNet but on the InfoSec industry as a whole, not to mention the damage that it is doing to Verizon.

The excuse that it is Christmas does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. ZDNet did update this story, twice, but the information they provided was inadequate and is now outdated.

I ask ZDNet to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether.

For those of you who have seen my talk ‘Media Hype in the Information Security Industry’ you should recognize that this is just another example of a big hack that never really happened. Unfortunately it will not be the last.

LATE UPDATE: It looks like I wasn’t the only one to notice the sloppy reporting at ZDNet on this story. Dissent at the Dataloss DB has published Fool us once, shame on you. Fool us twice, we implement policies!

Hackers and Media Hype or Big Hacks That Never Really Happened

I have been giving my talk “Hackers and Media Hype or Big Hacks That Never Really Happened” for a few months now and I think it is time to retire it. You may have seen it at Shmoocon Epilogue, Source Boston or Hope 9. If not catch the video below. I also have the entire slide deck available including the bibliography if anyone is looking to check sources.

Here is the slide deck MediaHypeinInfoSec2012_HOPE.pptx

FUD can Sometimes be Useful

There has been a story making the rounds the last few weeks that is really bugging me. I was going to let it slide but the story just won’t die and every time it comes around again I just get angrier. The problem is I don’t think the story is actually true, which wouldn’t be that big a deal if I could actually prove it wasn’t true but in this case its just a feeling, I have no proof, not even a preponderance of evidence, just a feeling.

The story is sort of infosec related and deals with the geotagging of photos uploaded to social media sites. This is a very real concern for people like the US Army who usually don’t want it known where high value targets like say, oh, AH-64 Apache helicopters might be parked. The problem I have is that I seriously doubt the scenario as presented by Steve Warren, deputy G2 for the Maneuver Center of Excellence actually happened.

“Warren cited a real-world example from 2007. When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flight line, he said. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches.”

There are just so many things wrong with this story as it is presented to make it believable to me. Is it possible? Absolutely. Is it a real security concern? Most definitely. But did it really happen? I don’t think so.

First lets try to imagine how the US Army determined that the enemy downloaded the photos and extracted the GPS location in order to lob mortars at the helicopters. How did the Army find that out? Did they enemy carry a sign past the airbase front gate saying “Hey, grabbed your FaceBook pics HA! HA!” Did they capture an enemy combatant and water-board it out of him? Did they recover a laptop with a bunch of photos and map coordinates? Why are we only hearing about it five! years after happened? How did the Army determine how the enemy got the information? That part is never explained.

Lets look at a second more plausible explanation, assuming that helicopters actually did get blown up. A fleet of UH-64s are not easy to hide. If you’re a Iraqi sitting in your house eating your hummus and pita bread and you’re hear a fleet of UH-64s fly over head your gonna notice it. You put down the pita and look out the window to see the helicopters flying off to the nearby US Army base. Then you call your buddies, grab your motor tube and go have some fun. To me this makes a lot more sense than randomly grabbing pictures off FaceBook.

So if this is really a made up story why did the US Army release it? I suspect they know they have a very real problem of soldiers uploading geotagged photos to social media sites. They tried banning Facebook and other sites before and that didn’t work. And actually the military needs social media for morale reasons. The number one morale booster when I was in the service was mail, or more accurately communication home to family and loved ones and with todays military that communication happens over the Internet and with social media. We cannot turn it off. So you have to do the next best thing, educate the users/soldiers/sailors/airmen/marines not to post stupid stuff that will compromise your military situation. Loose lips sink ships, or in this case geotaged photos blow up helicopters (doesn’t really have the same ring to it.) Based on my own experience with educating users I suspect they have met with only limited success.

So this story of UH-64s being bombed via Facebook makes a perfect urban/military legend. To people in the military it does not matter if it was true or not the story will live on and spread and take on a life of its own. Now soldiers will double check their buddies when they take pictures because they won’t want mortors raining down on their own heads. Where training has failed peer pressure will succeed, and it gets repeated so many times it just magically become fact. Mission Accomplished.

But to those of us in infosec we need to look at this story for what it is, a possibility, not yet a reality, but something to look out for and to caution our clients against. Just remember not everything you read is true, the sky isn’t always falling but that doesn’t mean you shouldn’t pay attention.