Tip:
Highlight text to annotate it
X
Anyway, our talk is on what we call BYO disaster and why corporate security still really sucks.
A little bit about us. Are you pushing buttons? Anyways, my name is James. I also go by pumpkin
poop online. Just an all around nerd, boring guy. With me, I have Josh Hoover here, the
guy that pooped today. >> JOSH: Can you guys hear?
>> No. >> JOSH: I'll switch over here. Yeah. I'm
Josh. I've been coming to DEF CON well since I had hair and some of my friends over here
were just starting to grow hair. So privileged to be here. Thank you for coming to our TBA talk.
This picture that Jim selected of me is supposed to be kind of a joke. Did you guys read our
profiles at all online? You probably can't see it online. But this is Jim's way of getting
back to me. I told him to find a rare picture. That's the evil one he picked up me.
>> Anyways, at the end of the day, we're nerds with random ideas and consistent things. That's
the story of our lives. What we're going is to talk about is talking
about credentials without cracking a single hash. There's been a lot of research work
in the past that's been involved gathering and cracking them offline. We're pretty lazy.
We don't have time or want to spend a lot of time cracking hashes. So our whole thought
was to come together and find an easier way to find clear text credentials. Secondly,
we're going to release a tool that automates the whole process and does things for you.
If anybody has done this in the past, it can be time consuming. How we're going do this
is we're going to explore a new functionality issue and I will get into that a little more
later. We found how IOS got into the chap E2. We have the inner authentication mechanism
in place of MSchap E2. So I will go ahead and give it to Josh here and he will take
you through some of the technicals. >> How many people have ever set up a WPA2
enterprise network or know the ins and outs of that? You shouldn't, but yeah.
>> [INAUDIBLE] >> What that guy said right. There looks like
there's a fair amount of you that haven't. So I will go over technical details on exactly
what research was with looking at. I am sure most of you have set up a personal at home
where you set up a key and you gave it a SID and you signed on to it T. adds one extra component
usually back end authentication server of some kind. In this particular instance, it
is the radio box you see on the right of your screen that. Just adds another layer. So you
can authentication every single client in your network instead of just one key. You
have a client and AP in the middle and the [INAUDIBLE] component for WPA2 enterprise
which is the authentication server. Since it will be a radio server, there's other options
there for different kinds of servers, but this is what we're centering on for GTC stuff.
It's a lot of what you'll see in enterprise level networks and crazy people like us like
it run this at home. You pick your SID and you connect right up to it. You pick your
network gown there and that's pretty easy. So I will blow your mind with technical details.
Association stuff. I will not go into that portion of it, but it is worth mentioning,
this is the first layer of attack for a lot of people that want to set up an evil twin
network. You are mirroring the exact same SID that your target is using and hopefully
the clients will connect to you instead of the actual AP. That's the first layer of attack,
the evil twin. [APPLAUSE]
[Cheering] these guys are going to be very angry at me
because I actually don't drink. >> Your current speaker has to drink.
>> I can't drink. You guys can throw things at me if it makes you feel better.
>> No way. Here's for you. Here's for your co‑speaker.
>> You know how many times in my career I've had to take one for the team for this guy?
>> And also as you may be familiar, raise your hand if this is your first DEF CON? Why
is it everybody is new? >> Wait. Why were you pointing at him? All
right. You. Get up here. [APPLAUSE]
and the lady down here with the striped dress on.
>> I gotta suffer. You suffer up here too. >> Where's mine.
>> Bear with us. >> They know.
>> Picked up it from the bar. >> I know. It's a double.
>> I tried. >> We got more? Geez, everybody, come on.
>> All right. To all of you newbies, welcome. [APPLAUSE]
>> I'm sorry. Your time is up now. [Laughter]
>> Thanks for having us. >> It's already coming out the other end.
[Laughter] >> I have no idea what I was doing. Where
am I? Um, hi. >> Drink one?
>> No. So, association stuff. Right? We've got shots covered. So association stuff. We're
connecting the evil twin, blah, blah, blah. We're excited about that. Let's move on. So
the next portion that happens in WPA2 enterprise is open to proposal. Extensive interpretation
protocol. This particular service is going to be Wi‑Fi. It allows you to be using the
password or certificate or something like that to some kind of service. So the first
thing that will happen here in this whole portion is that the AP will request on identity
from the client. The client gets a pop up on most clients it says nothing more than
user name and password. That's all it says. That will be kind of important later because
at this point, we haven't established what kind of authentication we're even using yet.
So anyway, the clients said ‑‑ it does send over the identity. In this case, it is
the user name or some log in name. This is something you can stop here if you wanted
and just gather user names all day long. That's boring. We want passwords. So that only gets
us one step. It sends it over the radio server. It says that's good. It sends over a peep
star. So what's peep. Peep is protected extensible appropriate co. Unfortunately, EEP by itself
is not secure. If you are sending over hashes or whatever, there's no encryption at all
at this point. So you can pick up anything. So, this is a way to protect that data. What
EEP does it make outer authentication and inner authentication. Outer is just an encrypted
tunnel. And inch is actual user clients authentication. It's great if you are sitting on the outside,
but if you're the evil twin and sending it to you. You make sure it happens otherwise
the client will freak out. It will not send you the credentials and goodies. So what happens
next? The outer authentication. So you guys can look up TLS if you're not familiar. But
there's a serve search that's on the radio server that gets sent over and establishes
a TLS tunnel in order to start second over all the goodies, all the good authentication
portions of whatever you happen to do. You go to the inner EEP. This particular instance,
we will talk about MSchap 2. It differs from V1, but MSchap is generally used for NT or
domain or whatever, windows log in. So user name and password. It's a way to allow people
to use that and log into a wireless network. So this is kind of important for a lot ever
enterprises out there because they want to make it easy. People don't want separate password
people want to bring in their BYOD devices and this allows theme use their normal log
or use it on the corporate network or whatever network they're using. So the next thing is
what's called ‑‑ sorry. Just sends the identity again. So it fully sends it over
the radio server. The requester sends it. So the first thing happens from the radio
server, it sends over a challenge, the V2 challenge. But the client takes this challenge
and takes it's password and makes a hash from it. Then it sends it back to the radio serve.
Important part of V2 over V1 is there's a dual authentication happening here. Both the
client and radio station want to make sure they know the password. So the radius creates
a challenge and says use this challenge portion to create a password for me and a hash. And
the client says no problem. I will take that challenge, my password, create a hash, send
the hash over to you. There's a hash and people can tell you how to crack those, but we're
lazy and still consider that too difficult for small minds. It will send that back over
with the actual challenge itself. And say okay. Here's my hash, but I want you to tell
me you know my password. Take this challenge, hash it with whatever you think is my password
and send it back to me. So they say if I do have your password, I'm going to do that and
I'm going to take your challenge and send the response back to the client. At this point,
the client looks at it and says does this match? If it does not match, it is supposed
to drop the connection at this point, which may or may not happen as we see here going
on. But this is san important part of V1 versus V2. Microsoft and sis so created this to circumvent
of what is going on here. You will see here in a second by making sure the client says,
well, I will give you my hash, but I'm not going to connect until I am sure you know
the password then the radio server will take that and make its actual response and say
okay. Your password was successful. Here's the response to your challenge. The client
says do you know my password. No problem. Send over success to the radio server. The
radio server says great. We're good. Let's start our connection and send over an ETLD success.
And we're golden. The user authentication has happened correctly. This is where MSchap
V2. This is basically a need success portion here. We're installing special skis on to
the AP to start up the actual encrypted network connection so they can get the rest of their
IP address in order to get access to the network. We will blow your mind with fancy
technical details and finishes the connection stuff. We're really concentrating here and
our attack is the inner authentication portion because we want the password we need to convince
them we know the password we want them to send the password us to anyway. So, this is
where our research is really focused. How many people do security research other than
showing up to DEF CON? So, a few of you. You are probably familiar with how difficult this
can be. Especially stuff like this when you are hit negligent face and you say no. You
can't have that connection and again it hits you in the face. We found this funny video
that reminds us exactly what this feels like. It is not a whole lot of fun, but she's okay.
So you'll be okay too. You take a few hits. You get back up and she gets back up and she
had to finish this. But anyway so, that's a little overview, quick overview of the way
our research ‑‑ exactly what our research is look at. Pass it over to Jim here and he
will talk about our first attack. Thanks for sitting through all the technical details.
>> JAMES: I have to say I only purposely took three drinks. The crap they just gave me pushed
me over the best. So I will do my best to get through the slides. Anyways, the first
attack, we call it IPONER. So we've ‑‑ the radio server is a patch version that we
wrote that kind of puts the exploit into there and kind of what Josh writes in the past for
capturing hashes and cracking those offline. We did this in a different way. But anyways,
the first thing happens is the server challenge is a client like what Josh was talking about
earlier. The client will send its MSchap response back along with the pure challenge. That pure
challenge is basically the clients way of authenticating the server toss make sure both
people have knowledge of the clear text credentials. So once the server gets that in the response,
the attacker and we don't know what the users password is at this point. Have two choices.
Your password is good or your password is wrong. So the first thing we tried is we accept
everything. If anybody uses parches, they've been designed to say success for everything.
Any password will send a success and response. We do that. The peer challenge doesn't march.
They say what you sent back is wrong. It won't establish a connection to the network, which
is what we're after. So we started over. We're trying thing s and con solidating things but
anyway, we reject the password we tell them what you sent me is incorrect. So the server
then sends a TLV success at the end. The use or this password and we send it back whatever
you sent me is incorrect. Expecting the client to drop the connection. For some reason, IO,
some and OSX device don't drop the connection. It is basically telling the client everything
is good and we'll finish this connection and your DHCP connection and address and start
sending you services. The devices GL, I don't know what that means, but okay. Cool. We're
good. [Laughter]
[APPLAUSE] Right. So the client sends us a TLV success
at that point meaning they're ready for DHCP address and everything else going on. So the client
checks for a captive portal. Most devices when you're connected to a secure wireless
network, continues there is not a captive portal. There's no reason to say there's no
captive portal. There the ISS and [INAUDIBLE] device don't do that. Shaped a probe no matter
what. We capture the probe and say there's something you don't need. (music) [INAUDIBLE]
that's how the attack basically works. >> We're very happy.
[APPLAUSE] >> Jim: So we're not ‑‑ so from a user's
perspective, what does this look like from the mobile phone you? Get some manager that
brings his personal phone to work. Even though he knows he's not allowed, but he doesn't
care, he's a manager. He pulls up his manager like Manny here in the front, like Tony and
Manny here in the front. So anyways, you have your MS test network. So you select it. It
prompts you for your username and password. It will pop up a cert. How many users always
accept a cert. It can say you're a *** on the cert and people accept it. Now you can
make this log in whatever you want, but we just took a standard one. The next thing pops
up. It says what the hell. I already typed it in. Maybe I got my password wrong. This
last screen shot is what it looks like from an OSX device. It actually tells you have
authenticated the MSchap 2 and we just showed you that's not accurate. So at the end of
the day, you're getting your clear text passwords. You have a full man and the sky is basically
the limit. You can do anything you want with them at this point. A recap. The OSM device
don't appear to be handling VS chap 2 properly. They're not paying attention to it for whatever
reason. We don't really know. But basically at that point, so much for mutual authentication.
They're there for mutual authentication and at this point, it's not working. So we're
bypassing that mechanism. And we're just letting it go through and establishing that connection.
It is defaultly sent by the mobile devices and just forwarding them on to our malicious
captive portal like if you are mimicking a hotspot at Starbucks. Not that we've done
that. And then the users have their credentials again. We're there to capture them. Oh, I
love Apple. So anyways, I'm gonna ‑‑ or actually the next slide here. We're talking
about responsible disclosure. [INAUDIBLE] first off responsible disclosure because Josh
gives me crap all the time and I will tell him how I really feel about it. It's a good
thing and we encourage people to do things. It's like in elementary school when you tell
a kid you will tell on him before do you T. so we found a new issue. We will report it
up the chain. Typically I discovered this thing that expose your back door and I urge
to you pass you before someone dumps a nasty payload in there. You guys don't have a sick
sense of humor like me. So anyways, that's what happens. Then the sociopath and your
responses. Outsourced managers put ten cards on it and they never get back to you. That's
typically how it goes, right? [APPLAUSE]
Actually, in this case, they did respond with their generic message. A month later, can
I get a status on that ticket number 99 whatever. Then I get a response, hey, me Josh 4379,
I like gummy bears. Ticket closed. Basically saying whatever you told us is crap and have
a nice days. Okay. Cool. So, this is their actual response they sent back. Basically
they're telling us that it's nothing. And then they tell us at the end here, why don't
you try this GTC thing because it will send this *** to you in cleartext. So thanks,
Apple. We will go ahead and start our next attack.
>> Well, Apple, thanks. I don't know what to say. It's early Christmas? I am not sure
what is going on. With all that said, it works with GTC, but we thought it was hilarious
they were giving us our next attack. What's GTC? It replace the portion of the authentication
that is in MSchap. It was developed for key version 1. It was created for token cards
and one‑time passwords. You guys have probably seen the secure cards. If you ever worked
for a major corporation, I am sure you saw something like this or played video games.
It's similar with MSchap 2. So a lot of it, I will not go over the whole interaction buzz
it assault same instead of the dual challenge and all of that stuff, it sends over the one‑time
password. It is similar in that regard. So you guys remember what I said about the clients
not actually telling or the server not telling the clients what kind of password and user
name was asking for. Well, this is one of those areas where it might become helpful.
Why wouldn't it be? Doesn't say one time password. It doesn't say give me your token card. This
is weird thinking with clients, but think about how we use that to our advantage. It
is probably pretty obvious, but let's take a look at it. This is the next attack. It's
called the peeping Tom. You don't see, but you have your clients in the [INAUDIBLE] and
can be android or IOS device. The last one was IOS only. Before I get into this attack,
this doesn't invalidate and I think that's what Apple was saying. People decide no one
supports GTC anymore. Apple doesn't fix their problem and that's still a valid attack vector.
So what happens with our first attack here is we replaced radius server just like the
other one exactly the same. The server request ‑‑ well, you need the identity thing. It sends
over the identity just like MSchap. The service is send me that password. The client is like
oh, okay. I already got the password. Why not. So the client responds with sure. This
is a GTC password. Why not. I just asked the client for username and password can.
Since we don't actually know the password, GTC fails and says no password for user.
We're a radio service patch and it will have success anyway. Sends the server LTC, some
and says okay. Your password looks good. And the client is like sure. I trust you. Why
not. Send over the password. It's a one‑time password. Why wouldn't I do that anyway for
the one‑time password. And then we have the full connection there and the full connection
is established and at this point, we can do all kinds of things. We have the password
which I will show you in a second. But we can use the normal middle attacks you might
want to do with the client to get them to connect to you. So once again [INAUDIBLE]
okay. Great. Several excited about that. Yeah, yeah, yeah. Jim liked his video better. So
what does the client look flick this instance? This works in IOS, but I will use an android
device. If you guys can camp what it is what is missing from this what was in the MSchap
attack with the clients. DEF CON secure. You guys all use give scan secure network, right?
Anyway, so we connected DEF CON security. It's peep. Let's type in username and password.
It just says identity on android. Bam. We're connected. So what's missing here?
>> [INAUDIBLE] >> that's right. Our cert bogus. Android doesn't
actually ask you to accept a cert, which is interesting because that means later there's
no user interaction. So in client interaction would change. If they have connected to the
corporate network or DEF CON secure network and connect to your evil twin, it doesn't
matter. Awesome, right? Anyway, did anyone see this weekend? Nobody had any idea we
were in here and what we were doing. We basically took with one of my buddies down here that
helped me ‑‑ we basically took a raspberry pie and use our same attack tools and just
set up a captive portal. Where someone connected us to, they got this captive portal page and
says hey, Jim doesn't know this idea. This is a surprise. It took a lot of his work do
this. I was going to fill him in later. He came in a little later.
>> [INAUDIBLE] >> So anyway, that's what we were doing. There
so clear text anyway, where do we get the password? Well, gee, radius was totally awesome
for you to put your cleartext password and debug for us. Cool. That's kind of weird,
right? If you think about it, it's a one‑time password. Well, unless it's an actual one
where somebody mistaken for a one‑time password, and again, the clients developed and this
is a big thing. The way the clients are developed, they just ask you for the user password. You
don't have any authentication for what they're using. This is the screen shot from this weekend
the DEF CON secure network. Blanked out the passwords. I don't think anybody notices their
password. We have MEA and W[INAUDIBLE] user. So anyway, that was from this week to show
you just another example. >> I want to say I had nothing to do with
his attack that he did today or over the weekend. >>
[Laughter] Sure. You say that now. Let's talk about it.
Let's do a recap and figure out what happened here. Version 1 works on anything that GTC that
key version one works natively. So your actual Mac computer your personal device works on
Android again without a cert, which is a huge deal in the attack environments because it
sends you that password right on over. Here's my goodies. The users will have a lot of interaction.
They will see what is going on a little bit more with [INAUDIBLE]. But they're going to
and the attack would work. But typically, I will say it outright Linux users have more
of what is going on. Why does it say ***.com? There's flow actual Native support. Someone
would have to install some other software in windows work, but again, that wasn't our
focus. Our focus is execs or people that want to bring in their phones or whatever mobile
device or bringing their own device and disaster kind of crap and connect up to the network
because that's who they are and they can. It doesn't really work on windows. For once
ever, right? That's a rare thing, but whatever. Portal required the [INAUDIBLE] because it
includes passwords and we don't have to do a captive fort A. I use it to advertise. You
can put them off the internet and connected to DEF CON secure. IOS devices after the
user accepts first evil twin. It won't just happen in your pocket. We were doing this
with friends of ours that kept seeing the password over and over T. pop up and say I
don't recognize this cert and people are like yeah. It's a lot like ***. Give me access.
I will hand it over to Jim because he will give you the intro and then that.
>> Jim: You will need a Linux‑type system. We have used both in the server and the desktop
versions. If you want to download those, you can. If a Wi‑Fi adapter is needed, we're
using host AP. It should work just fine. Our custom patch that we made just basically goes
in and changes some of the modules built into radius, the pat module and MSG module to
get theme establish the full connections. So you want to download that. And then the
Wi‑Fi tools is just a bitty tool we just developed. We wrote it in Ruby. People ask
why the hell did you guys use Ruby? So Ruby is basically to me like the canvass for people
that can't draw because I suck at coding. You can take a giant *** on the canvass and
smear it and that always works. Once you download the tool, you say now I know why he said that
because he does suck at coding. I don't do it right by any means.
>> You want to take this one? >> Jim: Yeah.
>> Is that mic working? >> Hello.
>> Yes. Sweet. >> Jim: Josh is going to pull up our live
demo here. We encourage to you try this for those of you not smart enough to turn your
phones off before you came in. >> JOSH: You can just download and look at
the code and do it, however, you want like we did in raspberry pie.
>> Jim: We have to of the attacks we have built in there. The first one is ‑‑ I
can't even see it from over here. So the peeping Tom attack.
>> Yeah. >> Jim: So you select option 2. It will tell
you a brief description of what the attack will do. So you kind of have an idea of what
is going on. >> Can any of you see it at all? Okay. Let's
make the font bigger here. How about this? Any better? Even bigger? Let's see. It's huge!
>> Jim: Size matters, right, says the lady in the front here with the striped skirt.
>> Jim: Anybody noticed her limp when she walked in the room today? Just saying. Use
your imagination. It was this crap they made me drink.
>> I know. I know. You took one for the team for me too.
>> Jim: Cool pictures and we like that. How many people like colorized with Ruby?
>> Thank you! It looks really cool though, right? Old school, kind of neat.
>> Jim: So anyways, start. You type in your wireless interface and we're using WLAN 1.
We tell it the name. You want to type that in there, whatever company you are working
for. We're using my computer. >> My company rules.
>> Jim: When you guys see the cert, connect to T. seriously. We're not going to steal
your stuff. If you just hit enter, it will take whatever your security guards default
Mac address is. You can select the channel and you like. If you hit enter, it will default
to 9. I don't know why I picked 9. It will start a bunch stuff. Basically what it's starting
is starting a radius or free radius if you guys use that on the top left, there that's
your free radius. On the bottom left corner, it's your web server. It will show you the
captive portal and that's all in Ruby. I think it's called web brick. You will see people
trying to hit your portal. Over on the right‑hand side, you will see host AP. That's basically
if you want to see from an access point, you will see people associated with the access
point and that kind of information. Out in big screen in the middle is your captive portal,
which is what you are waiting to pop up. People have made the connection and accept your cert
and they're going to type in their credentials again. So hopefully somebody is doing it.
I will say you can type in whatever you want. So if you want everybody in here to see it,
go and do it now. >> If you're trying this with your own device,
it won't work. Vulnerability is only hacked. >> Jim: I'm a loser? You are good.
>> Nobody has done anything offensive. >> Jim: If you're doing a penetration test
in a corporate environment, which is most of them, do you spend this tool up and waited
10 minutes or 15 minutes. >> Somebody flipped them on.
>> I *** your mom. I know. I tried to talk to her a few times. She does her own thing.
I encourage her. Remember do the pull and pray. All right. So the in, attack is the
peeping Tom one. So the first only works in ISS and that's only people that are screwing
up MS chap at this point in time. So second attack is peening Tom. Network is basically
on everything. That supports GTC. You dine in your wireless you have plugged in your
machine. My company rules. Yeah. You're right. You want to spoof a Mac address. You have
your radius serve starting up so you can see what is going on. You have your AP server
and then you have your GTC passwords. The cool thing about this so if you ever connected
to my company rules before and you've accepted the cert or whatever, it is automatically
going to send your stuff over now to this one because your Android device will ask you
to accept the cert. >> People in have connected with IOST sends
your password of because you have already accepted this cert. But this is just a demonstration.
>> Jim: I like that! Monkey balls. Raise your hand. We love you.
>> Yeah. It is just a great way to see how the attack works right in a row. First attack
is you log in to your company and the second one is it is asking for your credentials and
you are logging in. >> Jim: How many people are familiar with
air crack sweep? You than thing with the guy automatically responds to any probe request.
So imagine if you were just responding to anybody's probe request in this scenario that's
connected to a corporate network before. You're spinning up a fake corporate network. It will
start sending you log ins, which is kind of a big deal. Just saying.
[APPLAUSE] >> Yeah.
>> Jim: Anyways, I will pause back over here to Joshy pooh, the guy that doesn't drink
his alcohol. >> Josh: Don't hate me.
>> Jim: You have five minutes tops. >> Josh: You can just do it. Take my word
for it. Where are. We just we're beeping. All right. Look at that. Let's talk about
how we came about with this? What was our goal and how do we achieve it? So, historical
perspective. The first thing we decided was without Josh Wright and who's the guy that
did the divide and conquer stuff? Crack the actual hash and [INAUDIBLE] access to a client
web and virtual infrastructure online or 10,000 GPUs or PS2s. We were just like you know,
we're lazy. Cracking hash is too hard. There's got to be another anyway of doing. This we
can trick the client to give it to us to establish full and education hand it over to us. Obviously
that's what you guys just saw. So then we start going down the path of how WPA2 works.
What if we accepted everything that radius got sent and sent it back. You saw that even
that, there was some problems with that or in this B2 they work correctly and they dump
the connection. What if radius said everything is okay. We trick the client into making full
connection and do something with them later to get the password. So basically we started
with some past work. Josh Wright sends pretty good work on patching radius to output hashes
into the debug file. So then you can take those hashes and try to crack them offline,
but we started with that. And then we moved on from there and said what else do we do
with radius and I basically put Jim in a little box and let him come out for air in a month.
We start going through every single module what about that one and what about that known people
seem interested in how we figured that out. We started with someone else's work. We did
this 90 will Ruby that's scripting. So how can we do this to make it easier starting
with the great work from others. Yielded unexpected discoveries. We find vulnerability as far
as wean for IOS that's never been reported. We told Apple about it and they told us to
get stuffed in so many words. But it was just random and I encourage you guys to say words
that work. Whatever it is to take you guys wherever you want to go, but test things you
think it should work. Test it and make sure. There are times and I say V2 doesn't work,
but here it is. So, you know, we didn't invent time with a flux capasitor, but we did come
up with this patch. We put if in the box and radius that allowed us to test this interest
allowed us to see what would happen when we accent everything in certain ways. That is
with the meat and potatoes of what we're giving to you guys. Anybody sending wireless attacks.
Perfect. It can take some time to set that up. We're giving you guys the patch so you
can test this against your patches. I will pass Jim over here to the last slide.
>> Jim: So basically it will forward on you to our get hub sea.
you can download the tool and the patch. It has an installer script that you can run that's
called sis prep. It will download libraries. But again, read the code and make sure you
understand what is going on before you run it before your guys' own corporate environments
and all that jazz. I promise it won't send your passwords over to you.
>> Josh: You should check though. >> Jim. And it is just a jab of what is it
is going on in the media today. Stop spying on me. That's our talk. We appreciate you
guys taking time to listen to this. >> Josh: If you guys have questions, I think
we're going to be over in the chillout area. Or just catch us walking around. We'll be
here for the rest of the weekend. >> Is this thing on? Everybody first time
talk. [APPLAUSE]
[Cheering]