Kurt Baumgartner - Same and Different Seasame Street Level Attribution

all right thanks again everyone for coming to our uh second to last session of the day um our next talk is gonna be by kurt baumgartner he's a principal security researcher at kaspersky who researches and reports on targeted attack activity complex intrusions and advanced malware uh today his talk will be uh same different sesame street level attribution so take it away kurt all right thank you yeah hey guys this is fantastic um i uh i want i am one of the speakers that live and work out of boulder colorado um i've been a part of kaspersky for uh 10 years now i'm principal security researcher with the global research analysis team uh prior to that i was a part of a

startup in boulder we went by the name nova ticks and we eventually became threat fire merged with pz tools and were acquired by symantec so uh i've been a part of this uh security scene in boulder for um over a decade now and i love it so i'm really happy to see us doing a b-sides out of boulder this is great and thanks for um thanks for your time today all right today i want to talk about sort of the abcs of the application of file similarity technologies so we use it and i use it uh practically every day and i use it as a part of targeted attack research and we can apply it

not only to executable code but we can apply it to scripting we can apply it to various uh in encrypted blobs which sounds strange but it's it's it potentially works or i should say it works in some cases um and uh and i want to sort of focus on some of its strengths and some of its weaknesses um and really i want to i want to talk about the the practice of putting it to work and some of the successes we've had in more recent targeted attack research um so really i'm going to talk a bit about sunburst i mean what 2021 conference would be complete without somebody at least talking about sunburst and the solar

winds uh intrusions um and and keep in mind sunburst is kind of only a small part of that mess of an incident that the adversaries were in in targeted targeted cloud environments as well so sunburst was not the beginning and end of their intrusions but it's a significant thing to talk about it's really interesting what they did and some of what we can identify and sort of discover based on taking a closer look and comparing sunburst against previous stuff that we've seen and then i want to towards the second half of it i want to talk more about uh similarity results that i have in ongoing current projects um some of it is the result of the hafnium stuff that

we've seen or at least the zero days that were shared um following the initial hafnium attacks certainly the exchange zero day stuff um and then a couple other um fairly interesting incidents that we're taking a look at so yeah i mentioned i'm a part of the global research and analysis team i'm working for kaspersky i've been there for a decade now you might know some of our research if you don't i listed a few relevant and interesting research projects that we had over the years that i was a part of as well along with some some really talented colleagues um in 2013 we were looking at some of the initial and we were presented were presenting

publicly some of the initial known duke activity uh very early on so uh back then fireeye was looking at some of their zero days and how they were how the dukes were using zero days uh and they had a hard time connecting the dots with some of the back doors and some of the the payloads and we worked with some partners out of a university in hungary so we were able to gather some other data sets that were very interesting as well in 2014 we um we presented on epicterlin i have links to all of these at the ends of my slides so i'll be able to share all of our links to our research

on these um on these incidents and targeted texts when i share my slides uh so epicterla you might have heard about epicterla was a really a turtle operation it was a series of campaigns uh from this well-known russian-speaking apt and um it was a global effort it was really pretty interesting um and then in 2015 we presented uh we posted uh some of our ongoing research into the dukes and this time into cozy duke in 2015. so you may know about some of that it's all very interesting and those are early and interesting russian speaking apt and incidents that we've posted a lot of research on in the past more recently we've posted on um something similar to the sunburst

effort i would say in 2019 we presented on something we called shadowhammer so at our security analyst summit um it's on youtube as well there a video of of the shadowhammer research presentation is on youtube um but we presented on this uh chinese speaking apt that had injected code into um into an installer and um they were very successful at what they were doing they uh they were very good at hiding blending their code into legitimate uh software and installers much like the sunburst guys were or the individuals behind sunburst um and they spread their malware to tens of thousands if not hundreds i think the numbers might have been in the millions uh or

well hundreds of thousands of systems and um and but really they were looking for a much much lower number of actual victim machines that they were interested in and that's very similar to what uh the tactics of the the dark halo the the group behind sunburst their tactics were very similar um so in 2021 we've we've published some research that we had already distributed to our private customers our private intelligence reporting customers and uh and we made public quite a bit of our research and i'm going to talk about uh things that i want to focus on from that research regarding sunburst and how we can connect it to prior activity and prior malware at the time when the

when in december 2020 when fireeye discussed sunburst first discussed sunburst there was they were talking about an unknown group and uh there was really no where to find any any solid information connecting it to previous activities so i want to talk about that piece and uh and yeah so let's move forward with that um and that's the team i'm a part of so uh really what you're we're looking at when we're talking about looking at files using file similarity techniques and applying um file similarity uh and other sort of technical uh clustering techniques we're attempting to perform some sort of technical attribution and by that i mean that we are essentially clustering a lot of data

artifacts of anything i can pivot across um when it comes to in a malware set or an intrusion their infrastructure logs anything anything i can find and i i try to cluster this stuff together and create almost a narrative out of it um and we can start to apply a certain level of technical attribution when we find say when we combine together what may be weaker data points into this fuller picture whether it's embedded languages working hours or rather say clues that are left behind in infrastructure clues that are left behind in code um the targeting itself is often very interesting targeting has uh recently uh like too full of a reliance on targeting has caused all

sorts of attribution nightmares um for me uh but uh there are ways to correct that so anyways when you put these sorts of um data points together you're able to point we are able to uh provide some level of technical attribution and really that's what we're looking to do when we're um adding this file similarity uh technology to the mix so i mentioned earlier sunburst was a part of the solar winds incident in december 2020 that fire fireeye announced it was a massive announcement the adversaries had been in networks for months and eventually it came out that they were in over 18 000 networks and fire high was the first to identify the presence of

this uh this apt in their networks partly because of something very unusual and unexpected essentially the adversary was trying to set up a second phone number um for a specific account and it was sort of a strange anomaly that a junior security analyst saw and um and so they chased it down that person had the smarts to make enough noise to chase down this uh this anomaly um but at the time again i mentioned uh the the actor was a total unknown uh fireeye filed this under their unc category and uh there was there was no real uh evidence supporting any sort of attribution whatsoever there may have been um some media articles that had anonymous sources and

you know there was speculation that oh this must be apt-29 or you know but there was nothing solid behind it so um we wanted to look into that um so we the the problem we were looking at was how to link sunburst backdoor to any previous known activity um and there wasn't anything solid uh published at the time now um one of my colleagues an intern by the name of georgie he uh he had been working on uh previously on cas on this back door this thing called caseware and kazwar is an interesting backdoor that had been used by that group i mentioned earlier turla trilla is a long-standing one of the longest standing apt

we know um and uh turla has turla is loosely connected and eventually we we think we confirmed that caseware is a backdoor that we've seen used um in incidents that were uh that had targets um that were that had turla's focus so we believe that there are enough um there are enough there is enough data to say that caswar is something that we've we can confirm turla uh terla has been deploying um the back door itself was publicly um publicly presented on by uh unit 42 by the palo alto guys uh and i think it was back in 2017 when they first talked about two 2017 or 18 something like that um kazowar by the way is something that

is um that had changed at the end of 2020 massively changed at the very end of 2020 into 2021 other components uh started being pushed out by turla to use alongside the compiled code so we're seeing all sorts of casual like um code being pushed out in various forms but it's still still in use and it's still of interest but let's get back to the sunburst thing because it again was attributed to this new group this group called dark halo an unknown new new group and we were able to get our hands on some samples and some of the things we found about this sunburst backdoor um that really stuck out were several of its features

uh that included dormancy string obfuscation and this obfuscated and unique uh evicting victim tracking sort of tag that they were or or victim tracking id that they were creating um which is also which is always very interesting um uh victim tracking is is something that uh that sometimes gets uh reused by totally unexpected groups and we'll get into that later um but first off the dormancy itself was um was interesting uh for several reasons um and actually i'm going to mention that when georgie was looking back at uh at the kazowar backdoor he had noted that oh dormancy looks pretty similar and the string obfuscation uh it looks like it's in it it's implemented using an fnv uh

1a hashing algorithm and that's something that's very interesting and then finally also this obfuscated victim tracking this algorithm that they use really seemed similar so what was he looking at and what are what did we as a team start looking at later first off the dormancy appeared to be very unusual uh extraordinarily unusual actually this is not something we see in commonly in high-end apt the sunburst feature that they implemented regarding dormancy had to do with command and control server callback um and it had a sleep and a jitter functionality so uh the the sleeping time for the back door once it was run with on a system in a target network um would be between

12 and 14 days um this is very unusual uh this certainly takes care of any sandbox issues so if if a executable a sunburst executable made its way into an automated sandbox in all likelihood the sandbox would not be running the sample for 12 for two weeks and the the sample would never call home that's essentially what this dormancy implemented the other interesting thing is that jitter meaning uh sort of this random delay that was generated between 12 and 14 days was the jitter value was generated using a random next double function call which by itself is not terribly unusual but when you look at the kazowar back door it would also wait over over two weeks

and it would wait between two to four weeks to call back to its c2 um this is really unusual uh and its jitter was also its sort of random delay between the two and four weeks was generated using this random.net next double function call uh that in itself is not a completely solid uh bit data point that links the two but when you combine it with these other uh functions it's it's certainly something that uh we can we can build confidence around so let's take a look at this next feature both casual and sunburst implemented implemented not only fnv 1a hashing for string comparisons but it was a modified fnv1a and the modification was really pretty

interesting um so the when when either one of these back doors wants to look for a specific string within uh within its code it's not going to use a simple string comparison routine and leave strings laying around in the code that would be more alarming instead they use these hashes and and these hashes are are very interesting because fnv uh 1a is a very simple it's a totally simplistic um hashing algorithm but then they added this xoring against sort of an unusual value at the end of the function so not only is fnv1a being used which okay that's that's used by a lot of different backdoors um but you don't see it all that frequently

in apt code but you certainly don't see this unusual xoring this additional modification um being added to it so that was present in both sunburst and casual and again in in combination with the dormancy of the of the callback for these back doors it really builds up confidence that hmm okay kazuwar has been around for five maybe five years now and it implements these features um along comes sunburst implementing these two features there's probably a a connection here and quite possibly casuar is being casual our code is a source of inspiration for for sunburst development the third of the sunburst features that's very interesting happens to be a victim uid or victim id generation so these guys not only used

an md5 plus xor or not only used in md5 but they used an md5 plus an xor against a syst a set of system dependent values um and what sunburst did was they would they would kind of um seed this uh user id by taking the the a portion of the first adapter mac address along with the computer domain and the machine guide and they would xor that against an md5 that that was pulled from the executable casuari did something very similar they had a predefined string with a four byte key and the the key itself was pulled from the volume serial number so the the uh the disk drive they pulled the serial number off of that disk drive

and then did the same md5 xor to generate a victim user id again this is in all likelihood uh sunburst was being built uh with a lot of inspiration from what went into building out khaswar and we wanted to be very careful to say that we are not claiming turla and dark halo are the same so turla again is the actor or the i should say the apt that has been deploying uh caseware i believe we've seen in central asia quite a bit um i'm not sure i don't remember palo alto's visibility on it but we've we've been seeing turlo rolling this out um and along comes sunburst uh sunburst looked very different and we

what we're saying is the same is that the inspiration for developing this code this sunburst backdoor is something is is clearly linked to um to however kazuwar was being developed and rolled out now um one of the links at the end of this slide will will be to our secure list post on it and we include a timeline that's very interesting of when kazuoir was completely rebuilt which i believe was november of 2020 this was you know very interesting timing as far as okay we know that new variants of of sunburst were being rolled out heck back in february and then in october again and then caswar changed completely in uh november of 2020 and then the

discovery of um of sunburst actually happened in december uh yeah i believe in in december of 2020 so uh the the timing is all very interesting as well when you look at what's being redeveloped and what's uh what what code is being changed uh in caseware when somebody goes back to when caseware was being returned to um to target networks so this is all very strange but this is all very interesting because we can say that with some level of technical technical uh data some level of technical evidence we can say that the code base at least is linked um we know that russian speaking actors have been deploying kazuwar and that we're we're at least initiating a discussion around

grounded in data around what this uh sunburst backdoor and this operation might really be uh or what might be behind it so um so that was to me that was very interesting so again code similarity techniques this was uh really um sort of this fuzzy functionality similarity um but it's it's of real interest to us and that's a very effective technique for linking past uh past activity um so some questions that came out of that research immediately were okay have we seen previous have we seen code overlap like that before and the simple answer is yes um in 2013 i saw uh some mini duke backdoor or mini duke payload code that overlapped with a number of sofa seat

downloaders that were being distributed at the time uh in 2014 we saw overlap with web shells not just web shells but um other data within the web shells that were highly unique between mini duke and turla in 2018 we saw a really unexpected uh share of scripts that went into spearfishing attachments shared between they were almost identical shared between turla and zebra c and um my i do include a youtube uh link at the end of the end of these slides my colleague mike scott spoke about that at virus bulletin back in i think it was 2018 so that was that was a really interesting finding to me um so the the simple answer here is yes

we do see uh code overlap in very unusual uh very unusual code overlap in all sorts of situations and then i just want to sort of focus on um on on this on on this incident in particular um because even though this is a high-end attacker and an incident that is very impactful we can still perform this same sort of file similarity text you know technique to link this code to prior backdoors [Music] we see it fairly frequently that we can still apply this sort of file similarity technology to help guide the way there are false flag issues that we may run into um in the past we follow up and you we have to

review the findings of this sort of file similarity technology but um but in the past it's it's been you know file headers or pe headers give it away uh there are all sorts of other indications that false flags may be embedded within these backdoors to confuse researchers and defenders of these targeted attacks but again this was a very sophistic sophisticated apt they they intruded in or penetrated solar winds networks and their build process injected sunburst code into it were able to deploy that code after running a test run um and and ending their their code injection trial and then compiling and deploying it in february 2020 um and and it wasn't discovered until december of of 2020 which

which is incredible uh it was in again 18 000 networks for possibly eight to ten months so that really is um surprising stuff uh and these these similarities um are something that uh while adversaries are aware of this and may work with it they're still present in a lot of this code um and again i i do think this is a situation that will continue so uh there are all sorts of previous similarity projects and um and i want to get into more current use what i've been doing over the past couple months and what we see uh and and how we can apply some of this similarity technology uh against more recent stuff so um in the past

uh in 2004 um ida python was presented at virus bulletin um by some guys at f secure and they talked about a phylogenetics approach to understanding and and sort of mapping out genomes of malicious code so this is this is a technique this is a technology that has been around for a very long time and everyone seems to have their own proprietary implementation some of it is less effective or more effective than others um some of the other projects that have been sort of bandied around over the past decade had to do with hashing techniques so ssdeep was a fuzzy hashing algorithm that ended up being implemented in virustotal and you had to tweak different

parameters to come up with sort of a sweet spot for every every analysis you were looking at so that that was always present impash another project that looked towards xp file imports to come up with hashes and and similarities across imports was very interesting but again not an exact uh science there are tons of machine learning models that have been used including j48 or c4.5 trees uh weka implemented a lot of simple k-means data mining algorithms that were used for years um and then engram extraction and database comparisons are another thing that have been used there's all sorts of things and probably the best known engine that's publicly available for a lot of this file similarity stuff

is um is put out by a company called inteser if you want to actually play around with um with some file similarity checking with a file similarity checking engine um they've got a pretty pretty nice engine that they offer publicly if you want to take a look um but uh on the day-to-day uh i am personally using this stuff and um what we do is we come up with a number of genotypes and these are chunks of code that are are found in these malicious objects so whenever i'm interested in an object it could be from a dump of memory space it could be from a script it could be from an encrypted blob sometimes encryption strategies do not

create the entropy they're looking for and it or maybe has a header that my similarity engine here would will find but uh their genotypes we find in the in these files um they're unique they do not show up in white lists we have a massive library a white listing library that we've created over the years and uh these genotypes do not show up show up in known good uh known good executable objects um and then there are all sorts of strings that this stuff will look for as well so whenever i uh so in in southeast asia in early march following the exchange oday uh sort of the the massive global wide sweep of and deployment of exchange zero day um

there were so many servers that were targeted with that stuff and it was very difficult to uh get it sort of a handle right away on all the different kinds of code we were looking at um one interesting thing that came up and and this one is particularly interesting because um the initial uh memory dump uh when it was scanned by all this you know all the scanners out there was uh completely um unnoticed undetected but when i when i took several different snapshots of that memory uh of that executable code in memory and loaded it up to uh our our um back end we call it our attribution engine um the file similarity matching

identified it as maintaining lots of uh genotypes lots of chunks of code and multiple strings that were similar to previous version variants of plug x and uh it would it was a bit of a downer to be honest um to find something as common and as i rollingly sort of prolific as plug x code but on some significant high value exchange servers these uh actors decided okay this exchange oh day we are going to use that and push down plus apply a new sort of a touched up plug x variant that was packed in a very unusual and uh fairly unique way that we hadn't seen before so we know that plug x was being

deployed in early march uh along with many of the other back doors to servers around the world and again it was very simple to take those memory dumps and push them up and take a look at what they may match with um also in early 2021 um we were looking into a group that uh that we called bounty glad this is another chinese-speaking apt uh fairly prolific the interesting thing about these guys is they are not high-end they're not terribly technically sophisticated they will use all sorts of spearfishing techniques um and they will use publicly available uh malware a lot of cobalt strike uh most recently um but they also have sort of a what what appears to be um

they there's some sort of supply that they take advantage of so uh of implants so there are shared implants and shared code um and in the past we've referred to the the sort of overall set of groups using all this shared code as you know subsets of win and ti but i know people don't like the win nti term you might call them axiom noveta came up with the axiom umbrella for all these groups but when you break them down and uh you can um the we do we report on these subsets individually every now and then this one again we call bounty glad and when i was looking at initial victims it was very interesting that

some of these samples share old strings um with other chinese-speaking apt uh the durospie stuff their drewsby stuff that i was looking at was from 2016. so that was very interesting to me um that they're still maintaining implants that carry older uh older code and older certificates in them that allow us to say okay at least this is the direction i'm headed in to identify what's going on with this apt activity um um some other interesting things about body bounty glad is that they were after uh at a global scale they were after media organizations so news media in particular they were after trans organizations in the transportation industry around the world both in north america and in asia

and then infrastructure organizations so one of the things that piqued our interest in bounty glad initially was that they had hacked the website of a certificate authority in asia and replaced one of the installers for the certificate authority there that one of their software client installers they had replaced it with a downloader of their own and that downloader in turn pulled down uh some some images embedded some encrypted image or some images embedded with encrypted uh backdoor payloads which turned out to be cobalt strike of course but um but this group was was really pretty interesting um simply because they're so persistent and even though they are not technically sophisticated they are very effective at penetrating

networks and we find them everywhere in the world uh and even more recently i'd say this past week um there's been some interest in downloaders that uh or i should say in in libraries that include a entry export so there is a group um and now there are multiple groups that share a code or a malware set ntt security uh initially they um publicly pushed panda's new arsenal an article on t manager uh well part one part two and part three of the this malware set that they had uh discovered and were working with it looks like they incubated some malware and were able to get the attackers to push down even more of their malware set so they

ended up collecting a lot of this malware and provided a three-part research write-up on this new malware set at least newly publicly exposed this is something that we had called coughing down there was one group in particular that had been using it and up until i'd say the past month or so maybe two months it looked like it was being used by one group in particular and you can see here when we toss those samples into our file similarity engine we will come up with a code the similarities in code used by coughing down this one particular group um so um so that certainly whittles down again and guides our research efforts as far as

identifying who we're dealing with or what we're dealing with it may be a shared tool but at least we know sort of this familiar subset of groups or or group of sub sub subgroups um this sort of umbrella of of groups that we're up against um with these incidents so again uh genotypes and strings can help provide some sort of technical similarity data that enables us to link current activity with previous activity and with that uh i am going to um do some q a now i'm happy to take some questions on the applicability strengths and weaknesses of uh file similarity technologies awesome thanks a lot kurt um so once again if you have any questions you can

post them in general might stand by um let's see while we're waiting for some questions to come in um you posted at one point about or no you you had a slide with a bunch of different techniques um you know that can be used for you know measuring code similarities so like um examples i'm looking at here are like machine learning models um k-means engram extraction um you know of course every various proprietary algorithms methods um so on and so forth um have you like what work have you done or have you seen into how adversaries you like are kind of aware of these techniques right and maybe you want to design around them yeah potentially kind of exploit them

and you know trick any kind of similarity search to um you know come up with potentially um incorrect results right because because most of us have some kind of weakness um somewhere or another depending on how they're how they're implemented yes jerks yes i uh i have seen um changes more recently that to me are pretty clear these guys are paying attention to you know uh to their need their needs if they if they have a need to um sort of uh cover their tracks from from one campaign to the next and um you know some of the some of the stuff we've been seeing that still enables sort of this agile development process that they may be trying to implement

would be to simply shift from say a c plus code base to a go code base go is really interesting because even if you add like something really simple to the go code it completely shifts the compiled code itself so if when they're adding you know conditionals or all sorts of things it can really cause issues um but in that case often you know then you have to fall back on you know using your expertise which is your experience um you have to remember code you've actually looked at before but we do see um you know loaders being re re-implemented from c to go um and uh it can be pretty painful trying to identify some similarities

across that we see them uh we see adversaries shifting um from executable code to scripts a lot so powershell the movement to powershell happened maybe a couple of years ago and there was just massive amounts of powershell and then we started seeing more and more vb script uh which is a pain to deal with and then we and then we'll see other scripts that they're that they're throwing into the mix so yes uh i do think adversaries are looking at um uh evading uh this sort of file similarly matching technology um and they're doing it by hopping from you know from language to language really in in their implementations so we have one question from aaron here

which is uh how does the research team come up with some of the names like coughing down you know um it's all well okay how do we come up with the names so the names um often often will try to stick with the name if it makes sense um so you know turla i believe is a name that had been out there um and we continued to use that um but if we come across uh let's say um let's say we come across an incident and we haven't um we're not able to match or to in our data at least to or even in in public data we're not able to link uh an executable or something about

the system that that executable is found um or the network it's found within or the infrastructure that it's talking back to um there are all sorts of things that may come into play um when you're coming up with a name for a group so coughing down may have something to do with um so the covid research that they were targeting and um and some of the strings that they had left in the downloaders that they had pushed so you might come up with something like coughing down or in honeymite there are maybe a mix of file names and other strings that have come into play uh when it was first being analyzed so yeah a lot of the time it's it's uh

it's in initially um what a researcher is finding relevant when they're uncovering some new apt activity and it's not immediate usually we will stick with like a malware name for a while um and that malware may show up across multiple campaigns and then you come up with a group name that's separate and some for some researchers they want to come up with you know arbitrary names um for the group versus the malware they don't want to tie the group name to the malware which is usually advisable um yeah so there are a lot of different things and every researcher has their own method for coming up with a name got it got it um all right a question

from psych heretic what do you think about the similarity hashing algorithms like ssd sd hash macho tlsh et cetera um he adds in patch doesn't work for any net executable for example so some of these other hashes may work better or do they um well i mean uh um i i sort of the the i certainly am a fan of the technique we've developed in-house i do not find a lot of the other techniques as effective as what we've been doing um which is again genotype-based uh but it requires you know being able to identify unique malicious code which means you have to come up with a giant uh current uh white list um so you don't end up coming up with

false positives i i i use those other algorithms as a part of my research i do i use impash um uh you know virustotal has a file similarity implementation um that i will use as a part of research but i don't depend on those as much when i'm you know looking for solid data and um i don't find them quite as effective as as what we've been developing in-house so yes they can be helpful um i do know of other companies that have come up with very interesting hashing schemes that they use across well that they're using to identify unique hashes across malicious code in the wild so there are there are ways to make it production ready

but it's really tricky and those aren't just publicly available those things are usually developed and maintained in the house all right cool um last question from urban are the types of weaknesses you discuss inherent to the use of malware of the state-sponsored level or is avoiding this type of detection a matter of strong or obsession well the weakness is the weaknesses inherent in file matching or file similarity stuff um it i i would say you know simply because the the bulk of what we're looking at um we narrowed down on it simply because it is fairly unique acro usually the malware we're looking at when it has to do with targeted attacks is fairly unique unless of course you

have an unmodified uncustom or you know non-custom cobalt strike downloader or meta interpreter thing um and it's not touched up like that that's definitely a problem and um there are financial groups there are or financially motivated groups and you know there's the crimeware stuff and they will um they will use sort of the the stock cobalt strike stuff but then it becomes much easier to detect and actually prevent altogether so you may not be able to immediately attribute it based on file similarities you'll have to use infrastructure and you'll have to go back and dig and do so much more research but it's so much easier to actually prevent it all together immediately so you know it's it's

the the weaknesses i'd say are they can be exploited by both targeted attackers and um less sophisticated criminal groups although you know depends on the criminal group we're talking about but um uh yeah the weaknesses are kind of their um [Music] they can be exploited by pretty much anybody out there from what i've seen great um thanks again for the talk kurt this is um topic um you know definitely relevant to a lot of the stuff that i've been doing in my past i'm sure a lot of the other people in the audience um also kind of know a bit about this and we're also really interested to hear about this talk so um thanks a lot right on thank you