What you see is not what you get - when homographs attack
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 102 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/43249 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Chaos (cosmogony)TelecommunicationUser interfaceInformation securityComputer architectureRoboticsService (economics)JSONXMLLecture/Conference
00:37
Service (economics)InformationInformation securityDomain nameSeries (mathematics)UnicodeExecution unitInternetworkingLatin squareFormal languagePresentation of a groupInternationalization and localizationEmailService (economics)Identity managementVisualization (computer graphics)Formal languageWeb browserCartesian coordinate systemInformation securityDomain nameSeries (mathematics)InternetworkingLatin squareClient (computing)Thomas BayesGraph (mathematics)Arithmetic meanState of matterImage resolutionRevision controlUniform resource locatorModal logicGraph (mathematics)CASE <Informatik>FamilyComputer animation
02:49
Time evolutionImage resolutionRevision controlUnicodeExecution unitDomain nameASCIICodeAlgorithmInternetworkingRevision controlUser interfaceMereologyBlock (periodic table)Domain nameRule of inferenceSpeech synthesisUsabilityUnicodeDifferent (Kate Ryan album)Computer clusterWave packetOrder (biology)Direct numerical simulationBuildingLevel (video gaming)Formal languagePersonal identification numberAlphabet (computer science)System callExecution unitGroup actionMeeting/Interview
05:23
Partial derivativePoint (geometry)Domain nameTorusField (computer science)Physical lawWebsiteCASE <Informatik>Point (geometry)JSONComputer animation
05:51
Execution unitInformation securityLatin squareScripting languageDifferent (Kate Ryan album)Similarity (geometry)FaktorenanalyseComputer fontVolumenvisualisierungElectronic visual displayRegular graphFormal languageScripting languageNumberPoint (geometry)CodeElectronic mailing listDifferent (Kate Ryan album)Latin squareDomain nameAlphabet (computer science)MereologyComputer fontProcess (computing)Information securitySpeech synthesisVisualization (computer graphics)Slide ruleElectronic visual displayCartesian coordinate systemRevision controlMappingSoftware testingDivisorSymbol tableMaizeVolumenvisualisierungGoodness of fitCASE <Informatik>Execution unitUnicodeGraph (mathematics)Proper mapMountain passDemoscenePhysical lawEndliche ModelltheorieTwitterForm (programming)Identical particles1 (number)Machine visionOrder (biology)Dependent and independent variablesComa BerenicesSource code
10:43
Product (business)Revision controlClient (computing)BitoutputImage resolutionWeb pageCASE <Informatik>Multiplication sign
11:39
Rule of inferenceMaizeLatin squareScripting languageImage registrationDomain nameExecution unitImage warpingWeb browserGoogle ChromeExtension (kinesiology)Graphical user interfaceEmailSoftware developerPerspective (visual)CodeUnicodeSocial engineering (security)Data modelInformation securityScale (map)World Wide Web ConsortiumAgreeablenessClient (computing)Information securityNeuroinformatikGraphical user interfaceMultiplication signWeb pageWeb browserAlgorithmReading (process)Image registrationDomain nameElectronic mailing listClient (computing)DeterminismWeb 2.0PhishingInternetworkingSoftware bugBookmark (World Wide Web)EmailBitOrder (biology)CodeGame theorySocial classVulnerability (computing)Open setRevision controlScripting languageImage resolutionRule of inferenceLatin square1 (number)GoogolFormal languageUsabilityComa BerenicesProcess (computing)Key (cryptography)Level (video gaming)Lie groupFrustrationPhysical lawCoefficient of variationDifferent (Kate Ryan album)Direction (geometry)MaizeWater vaporGraph (mathematics)FamilySpeech synthesis19 (number)Dependent and independent variablesGroup actionField (computer science)
18:51
Email1 (number)MereologyComa BerenicesService (economics)FacebookDomain nameUsabilityCuboidCubeProgramming languagePoint (geometry)Musical ensembleTouchscreenRoundness (object)Graph (mathematics)
20:14
Android (robot)Mobile appWindowLink (knot theory)Graph (mathematics)Vulnerability (computing)Android (robot)Revision controloutput
20:49
Web browserWebsiteGraph (mathematics)Demo (music)JSON
21:17
Linear regressionVideoconferencingReading (process)Proper mapComputer animationLecture/Conference
21:46
System callHoaxComa BerenicesLink (knot theory)Bookmark (World Wide Web)VideoconferencingWeb browserRevision controlProcess (computing)NeuroinformatikComputer animation
22:41
NeuroinformatikOnline helpGraphical user interfaceGoogolWeb browserHacker (term)Solid geometryLecture/Conference
23:10
Web browserGoogle ChromeExtension (kinesiology)Graphical user interfaceEmailWeb 2.0Email1 (number)Information securityExtension (kinesiology)CodePhishingGraphical user interfaceMereologyFamilyWater vaporInternet service providerWebsiteOrder (biology)UnicodeComa BerenicesElectronic mailing list
24:37
Web browserGoogle ChromeControl flowGraphical user interfaceElectronic mailing listQuicksortPerspective (visual)
25:02
Software developerPerspective (visual)UnicodeCodeExecution unitSocial engineering (security)Data modelInformation securityMessage passingComputer programmingLink (knot theory)Spring (hydrology)Decision theoryMereologyGraph (mathematics)Electronic visual displayGroup actionGraphical user interfaceArithmetic meanInformation securityLibrary (computing)WeightPoint (geometry)Office suiteView (database)MomentumComputer configurationPerspective (visual)Software developerProcess (computing)Interface (computing)WebsiteAlgorithmCartesian coordinate systemSocial engineering (security)GoogolDomain nameInternationalization and localizationGraph coloring1 (number)Endliche ModelltheorieSoftwareSession Initiation ProtocolSoftware bugUser interface
28:09
Scale (map)Domain nameMultiplication signView (database)Computer animationLecture/Conference
28:32
Lecture/ConferenceMeeting/Interview
29:03
Lecture/ConferenceJSONComputer animation
Transcript: English(auto-generated)
00:15
I'm going to talk to you about user interface security and homograph attacks.
00:29
Thank you very much for coming to the talk, I know it's pretty late, but we appreciate the fact that you guys made it. So here's a quick intro about myself.
00:40
My name is Julia Sazza-Fort, I'm director of professional services and partner at But yeah, let's just move on, make a quick intro about the talk. So since the introduction of Unicode in domain names, a series of security implications have appeared, came along as well. So the presentation aims to discuss some security risks around internationalized domain
01:05
names and how applications such as browsers, email clients, and secure messengers as well, they fail to handle IDMs in a secure way and end up exposing users to unnecessary security risks, and by making it very easier for phishing attacks and visual spoofing to materialize.
01:28
So here's a quick agenda about the talk. So we start presenting, like speaking about internationalized domain names, how they work, how they can be registered, and so on, and we move on to talk about homographs and the
01:43
associated security risks that come along with them, and then we explore how user agents, in this case, like browsers and email clients and so on, how do they react to homograph attacks, and later also show some practical attacks against some of them, and how we can also defend ourselves, and then we're going to end up wrapping up the
02:02
talk afterwards. So now we're going to speak about internationalized domain names and the emergence of the IDMs. So essentially, the internet was never designed to be multilingual. So it was created mostly in the United States, using ASCII characters, so that is
02:22
like Latin characters, and domain names have always been confined to be Latin-based characters, as I just mentioned. However, there are billions of people that do not have Latin-based languages as their first language, and kind of the way internet worked, that actually mainly still works,
02:43
it somehow excludes the fact that these people would like to use their own language, their own alphabet, to express themselves in the internet. And because of that, ICANN ended up coming with a resolution, like a version of the internationalized
03:03
domain names, that it ended up giving a lot of support, a lot of this wide support, to Unicode. This was around two decades ago, and the support for Unicode, because Unicode ended up on different languages, like Cyrillic, alphabet, like Russian, for some really old
03:28
ancient European languages, and so on. So this is why they decided to go with Unicode for that, but then we have a little technical problem when we ended up implementing IDNs, and the main technical problem here
03:45
is that DNS, and, like, as you guys know very well, DNS is like some of the building blocks of the internet, and it's only ASCII, so it doesn't really speak Unicode, and because of that, they come up with a different way to make this glue, and the fact they
04:07
come up with this, something called Punicode. So Punicode essentially converts Unicode to ASCII, and then, for example, it converts this emoji of this nice little cow here, .ws, which, by the way, this is actually a valid domain,
04:23
this actually exists, to XN dash dash and something else like that, or OBB.80, which is the train company from Austria, so this also gets translated into Punicode in order to DNS to actually work with that, and then the user interfaces will do the user-friendly
04:43
part of things, and we will convert back and forth, and IDNs and Unicodes and so on are also things like this, like poop.la, this actually also exists, this is like a poop emoji, and domain name, we will see later on about some rules around that, or
05:02
I love tacos, these also exist, too, again, with an emoji, or completely full Cyrillic domains, including even the top-level domain, which is, by the way, the full version version of Yandex, and this is called also like a full IDN, as we're going to see later
05:23
on in the talk. Yes, actually, it came much faster than I actually remember it. So this is like partial IDNs, so OBB.80, which means that there is some internationalised characters here, like this O with the double thing on the top, but the TLD is 80, so
05:43
you use the Latin alphabet, whereas we have this full IDN ones, which, in this case, I don't know Russian, so I don't know how to pronounce that, but this points to the Cremly official website. So now we're moving on to homographs, and talk about security risks, and some
06:03
considerations associated to it. So Latin script, for example, it can represent a variety of languages. It can represent, for example, Portuguese, Spanish, English, Italian, French, and a bunch more. And then also the fact that I would like to speak about is that different scripts,
06:24
they share numerous characters that either look exactly similar or have a very strong resemblance. So what I want to explain here is, for example, there are like some characters, say A in Latin, the Latin script, that has a very, very strong resemblance to
06:43
something very similar in Cyrillic or in the Greek alphabet and other alphabets out there. So, and they are called Confusible Homographs. As we can see here, like the first part of things, like the number one is actually Latin, and this is the Unicode code point of it.
07:03
And the second one is the one in Cyrillic. And even if we zoom this a lot, it's very, very hard to distinguish them from a visual standpoint. There is also an O in Latin, and there is an O with a horn, but also in Latin.
07:24
So even the same language and the same script has some characters that they look alike a lot. But, yeah, I mean, we zoom in here a lot so you can see the actual horn in the O, but with a very small screen, and depending on the font, this can be actually very hard to tell.
07:42
Also, we have here P, and P in something like that in Cyrillic. Apologies for those that actually speak Russian. I probably didn't really speak it properly. There is also, like, and the list goes on and on. Like, this is a small C in Coptic, which is, I don't even know which
08:05
language it is, has something very similar, and also in Cyrillic. You can go to Graphemica, which is coming next slide, yeah. So graphemica.com, there is pretty much a whole list of different
08:23
Unicode code points and symbols and so on, and you can actually find many of them that are confusable with Latin characters. So now we're moving on, speaking about user agents and homograph attacks and how they handle it. So font weatherization and visual spoofing is our next topic.
08:42
There are a bunch of important factors that we're going to see in the next upcoming slides. So these attacks, they are mostly, they happen a lot because of a few important factors. So the way the font is actually rendered into display, so display size, font size, and they all play a role
09:02
in fooling the user, actually, into believing that a domain that he is visiting or clicking is not a legitimate one. So, as we can see here, like using the font Tahoma 68 point, in Latin, apple.com, and there is using apple with Cyrillic confusable,
09:23
there is absolutely no way to distinguish this from visual standpoint. So even if we use another font, like Bookman Old Style 70 point, we can see that there is a little thing off between the L and the other L for apple,
09:42
which is actually not an L, it's just a capital I, but in Cyrillic. And there are other fonts that they actually do a better job at making these things distinguishable. As you can see here, the one in Cyrillic is pretty off. So you can actually tell there is something dodgy, something fishy going on. And this is actually, like, now we're talking about
10:04
like the user agents, so in this case, like secure messenger applications. Wire for desktop, this is like the example here, and Telegram. So I zoomed in as well, like some 400%, and you can see that in here, like, so,
10:22
well, actually I have to explain a few things before. So I registered like here, I think it used to be Nokia maps or something like that. So I registered like a full homographic version of it in Cyrillic for like, as part of research for this talk. So I was doing all these tests and so on with some of these domains that I actually owned.
10:43
And by the way, I'm actually happy to give them back to here, like, if they're interested, because all the research is pretty much gone by now. So yeah, let's go back here. So this is the legitimate one, and the homograph one, how wire renders them. You can see that pretty much everything is exactly
11:02
the same, there is just something off in the R, but this is because we zoomed in a lot, like 400%, actually. So like pretty much like five times as much. And in Telegram, some characters as well, like for example, the H is a bit off in this particular case, but then, as we'll see later,
11:22
there are some characters that are completely indistinguishable too. Yeah, so this is actually the Telegram with iOS as well, and wire. So just, yeah, let's move on with this. So essentially, we were talking about this,
11:42
like as I mentioned, ICANN had this resolution back in 20 years ago or so, when they came up with it. But then they realized that there were like a few flaws in the way they were actually allowing people to register domains. So essentially, it was possible to, they realized that, oh, there is this
12:02
confusable homograph thing, and this actually can be a problem. So it means that people can register like google.com with, say, the E that looks like the E from the one in Serialik, and then that will be, well, that will be very complicated to actually slow down these attacks. So in these slides, we are talking about some of the rules
12:23
around the registration of homograph domains, and they vary a lot depending on the top-level domain register as well. So for example, the .net, .com, .tv, and so on, they allow different scripts from many languages. So you can see, like, it allows Portuguese, Romanian,
12:42
Japanese, Thai, and all these characters, for example. And a few others are more permissive, like .ws, .to, I think .la, you can even come up with emojis. Even though, I think, if I'm not mistaken, the RFC doesn't allow emojis to be there, but, well, it's not the first time that people don't really follow RFCs as they should.
13:01
And for example, like .berlin, Latin and Serialik script are only the ones that gets allowed, so some of the top-level domains, they're actually a bit more restrictive than others. So, yeah, as I said, like, in the version one, it allowed mixed scripts, and then they realized,
13:20
well, this is actually a security problem, and there will be a lot of trouble in the future with that. And I think, like, a couple of years ago, there came up, like, a few other versions of this resolution called, well, version two and three, that they disallowed mixed scripts. However, pure scripts are still completely fine to register.
13:42
And now that we're seeing here, so all these examples here, like PayPal, Apple, Opera, and so on, they're all homograph domains that actually could be registered, because there was no way to stop from registering pure script homographs. And many others, list goes on and on and on.
14:04
So now we're gonna see some actual practical attacks, like see how this is actually gonna build up into actual computer security problems. So the practical attacks, like, the very first time this, even before IDN was actually reintroduced by Econ,
14:21
and even before all these internationalized domains were even a thing, so this was, like, back in 2001, the two Israeli researchers, they said, oh, this is actually gonna be a security problem. And the original paper is very interesting, it's very short, it's only, I think, two or three pages. And, like, I totally recommend the read to understand more about these issues.
14:40
But only lately, I think, like, the past couple of years, especially this year, it has been picking up a lot. And phishing, like, all these phishers and all their different adversaries are now noticing this, and we are seeing a rise in such attacks. And, like, I think it's also very important to speak briefly about some historical
15:01
and recent bugs related to homographs. So Firefox, like, back in 2005, the guy from Eric Johanson from Shmoo group, he filled in a ticket within Firefox, like, with Bugzilla, saying, hey, like, you guys are not doing anything
15:21
to prevent such attacks. This was actually, unfortunately, taken as a P3 importance bug, even though I think it's actually definitely something that should be higher, but, like, so this was, like, a visual spoofing that URL bar. We're gonna see some of this a bit later on in the talk. Recently, there have been, like, a few CVEs,
15:42
like one for Safari, that this letter called Doom, it was interpreted exactly as, like, this is like a Latin letter from, well, some language that nobody probably even speaks anymore. But still, like, it's in the script, of Latin script, and the way it was rendered by Safari was just purely rendered as a D instead of this Doom.
16:04
Also, just recently, in 2019, there was one K in Cyrillic that was interpreted at, actually, actual K in ASCII, and there was also this research by, well, I don't know, I cannot speak the guy's name, I'm sorry, that he also found, like,
16:22
different vulnerabilities in the way Chrome, Firefox, and a few other browsers, I think Opera as well, how they reacted to these kind of problems, and as a response, Chrome, at least, came up with an improvement in the algorithm to detect this is confusable,
16:41
and it's probably the best one that they have these days. And again, there are a few tickets open in the Bugzilla of Firefox. They treat it as a P3 importance, again, whereas Chrome treats it as a P1, and as full browser is also based on Firefox, Firefox, it means that it's also vulnerable,
17:02
and unfortunately, I don't know why, but people from Chrome browser, they could just go and fix this thing, but they claim that they are waiting for Firefox to know what they're gonna do in upstream in order to finally fix it. I don't think it's actually a very acceptable excuse, but anyway, it's just my personal opinion.
17:21
So yeah, the way browsers handle IDNs, so after these homographic attacks that were published by this Chinese researcher in 2017, Chrome stepped up the game big time, like mad props for that, and then Firefox, also top browser, still lagging behind.
17:42
But yeah, the way that they handle IDNs, Chrome is actually probably has a very complex policy that seems to do very well to preventing these attacks. Opera and Brave, I think they follow the same, the same algorithm as Chrome when I was doing tests.
18:01
That's what it seemed to me, at least. Internet Explorer, surprisingly, was never really vulnerable to this thing, like this is probably the only class of bugs Internet Explorer was never vulnerable to, whereas Firefox and top browser still are still lagging behind, as I just mentioned. So now moving on to email client and web mails. So this is what I call a backstabbing friend.
18:22
So for the sake of user friendliness, some web mails and some email clients, they convert that puny code that we just saw, like X and dash dash, and some weird other characters, back into Unicode, like to make it user friendly.
18:40
But very often, there are no checks for confusable, for confusable characters, they are not made. So as we're gonna see here now with, there's an example, there's HushMail. So HushMail is like a secure mail provider, and if you really, really zoom, you're gonna see, this is actually a domain that I own as well.
19:00
It's kind of like a part of this research, of this idea and homograph. Facebook with something on top of the K. So if you just see like in your computer, it's as if there is some dirt on your screen, that's it. You would just pass as it looks to you as Facebook.com,
19:20
and this actually goes straight into your inbox. It doesn't get flagged by anti-spam or anything, or at least not with HushMail, and with a few other services that I tested, including some big ones that I unfortunately cannot really speak about now, because they have not fixed it yet. Also there is, there was actually even a standard CVE recently in RoundCube.
19:40
So again, I used my domain here, .com, that's like X and dash dash something. If I send an email to anyone using RoundCube, RoundCube will just convert it back to make it user-friendly, and it will appear as if it comes from here, .com. Again, no checks and nothing else. It's actually, RoundCube is doing exactly
20:01
what it's supposed to do, deliver email. So it would just go straight into your inbox, but then from a visual standpoint, you can essentially spoof the domain name where this comes from. And now this, well, how Signal handled, this was also assigned a CVE earlier this year.
20:20
So Signal, both for Android and Windows, were vulnerable to this. So if you see here, can you spot the fake URL? There is actually no way to tell from a visual standpoint. Signal for iOS, I don't know why, but it made the link that was homographed unclickable.
20:41
So that's great, for iOS it didn't work, but for the other versions, they were actually vulnerable. Telegram as well had the same issue. And Telegram actually went even as far as making that quick preview of this website,
21:01
so using the fake one. So you could really make, pull off, like a real, very convincing phishing attacks with that. So let's just talk about actually a quick demo here with homograph attacks with Signal and Tor browser.
21:22
I hope the video all right. So by the way, these issues were fixed by Signal a couple of months back. Also, actually Telegram fixed it for a while, but it seems that they just reintroduced it when I was checking things for the talk this week, and it seems like it went back,
21:41
so some regression was not really done properly. But yeah, let's see the video here, the attack. So yeah, this is a fake link of apple.com. Totally legit, you can click. And then the URL bar, there was no way to tell. Oh, I have to, oh, sorry, how to do that?
22:03
I don't know. All right, sorry about that, guys. So yeah, back here to the video.
22:25
So yeah, it's like fake apple. Yeah, the URL bar would just display apple and so on. And Tor browser is still vulnerable to this, both like in mobile version and in the desktop version. So let's back to, all right,
22:42
I don't know how to use my own computer. I don't know where, that's actually shameful. I need some help again. I don't, all right, I don't know. Oh, yeah, I need some help again, sorry about that.
23:06
So yeah, talking all about this hacking and everything, but yeah, like some basic stuff and the computer cannot do it, that's pretty shameful. All right, so as we just saw like these issues here, and now I think like it's very important to talk about like how to defend yourself.
23:21
You know, honestly, like for browsers, preferably just use Google Chrome, like they are the ones actually putting an effort in preventing such attacks. And also many other security relevant stuff that Chrome does, so it's really worth using it. There are like a few extensions developed by third parties, like phish.ai is one of them,
23:41
that also prevents and detects some attacks. I believe there are other extensions, too, that will pretty much do the same. And for Firefox, you can actually turn off the whole thing with showing puny code to true, so it means that it will never show again all this, the Unicode thing,
24:02
it will just show the actual puny code of it. For email, like for multi-tested, Outlook, ProtonMail, Tutanota, and RF, they're fine. Other popular ones, not so much, as we just saw, Hushmail, and there are like a few other, especially web mail providers, that they have not done any work yet on this,
24:23
even though some of them actually reported this, hey, I think it's a problem, some of them replied, some of them not, some of them are slower than others to fix things. And then again, this is like Chrome, just introduced it, I think like a month, month and a half ago. So basically, Chrome has a list of the 10,000
24:42
most visited websites, and it will actually do some sort of work to attack like, oh, it looks like somebody's trying to pull off a non-homograph attack against GitHub, and are you sure you want to go to GitHub.com or to this thing that's dodgy and somebody's trying to fix you?
25:00
And also from a defense perspective, from the, sorry, from the human eye perspective, there were like a proposal that never really took off, that they wanted to have different colors in the letters that are not Latin alphabet, so I mean, the ones that are Latin-confusible. This never really took off, like it's probably not that great from a user interface
25:24
and user experience point of view, and I think that's why it never really picked up momentum. There are a few developer, sorry, application developers, there are like a few libraries that they check for Confusible, so they would just do part of this, of the heavyweight for you.
25:45
And now we are wrapping up the talk. So essentially, Confusible homographs, they have been around for a while, as we saw since, well, some 20 years or so, since pretty much the very introduction of internationalized domain names by Akon,
26:00
but very little has been discussed around them, and they're very frequently overlooked. And these issues are not really part of threat model for many applications, as they are very often considered social engineering, so actually, good luck for you. If you're trying to submit something like this
26:20
to a bug bounty program, many of them will say, hey, this is social engineering attack, it's out of scope for my program. But actually, some of the security messages, I actually got a bounty from one of them that I didn't really mention here, because, well, it's part of, we cannot really speak about it, that it's part of the bug bounty program, but I think it was the only one
26:42
that actually gave a small reward for this kind of issue. Even though in the very beginning, they said it's not a security issue, because they're doing exactly what they're supposed to do, is to display links. But yeah, if you're displaying a link of Google, and when they click there, it takes you somewhere else, or it's probably something off.
27:00
And ultimately, I think application security teams, they can do much more at being proactive in preventing these threats. For example, Google Chrome is actually doing a pretty good job with that, not only now recently showing this interface to the user, hey, are you sure you're going to the correct website? And also improving their algorithms
27:21
to show the domain names. And whereas many other softwares are not actually doing it, instead of asking for users to be vigilant and please don't click on bad links or stuff like that, just not really an option, or even worse, waiting for Econ to come up with a magic solution for the problem,
27:41
I remember that one of these secure messengers, when I reported this issue to them, they said, well, this is also not a problem because we are doing exactly what we're supposed to do, display links, and this is a problem with Econ and registrars. We have tried to shift the blame. No, it's actually not their fault.
28:00
It's actually the fact that you're not really doing this thing correctly. And here are a few references about this research. I really recommend reading them up, if you're interested. And yeah, thank you very much. Still question time now.
28:26
Thank you for the talk. Do we have any questions from the room here? The internet? Nope. Wow.
28:41
This is really amazing. I hope I explained everything so well, there's no questions left. Yeah, it kind of seems like that. There are no questions unanswered on this amazing topic. Okay, great. Then we'll wrap it up and call it a night, and thank you very much,
29:01
and give him one more warm hand.