Crypto-Gram
September 15, 2022
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.
$23 Million YouTube Royalties Scam
Remotely Controlling Touchscreens
Zoom Exploit on MacOS
USB "Rubber Ducky" Attack Tool
Hyundai Uses Example Keys for Encryption System
Signal Phone Numbers Exposed in Twilio Hack
Mudge Files Whistleblower Complaint against Twitter
Man-in-the-Middle Phishing Attack
Security and Cheap Complexity
Levels of Assurance for DoD Microelectronics
FTC Sues Data Broker
High-School Graduation Prank Hack
Clever Phishing Scam Uses Legitimate PayPal Messages
Montenegro Is the Victim of a Cyberattack
The LockBit Ransomware Gang Is Surprisingly Professional
Facebook Has No Idea What Data It Has
Responsible Disclosure for Cryptocurrency Security
New Linux Cryptomining Malware
FBI Seizes Stolen Cryptocurrencies
Weird Fallout from Peiter ZatkoΓÇÖs Twitter Whistleblowing
Upcoming Speaking Engagements
** *** ***** ******* *********** *************
$23 Million YouTube Royalties Scam
[2022.08.15] Scammers were able to convince YouTube that other peopleΓÇÖs music
was their own. They successfully stole $23 million before they were caught.
No one knows how common this scam is, and how much money total is being stolen
in this way. Presumably this is not an uncommon fraud.
While the size of the heist and the breadth of the scheme may be very
unique, itΓÇÖs certainly a situation that many YouTube content creators have
faced before. YouTubeΓÇÖs Content ID system, meant to help creators, has been
weaponized by bad faith actors in order to make money off content that isnΓÇÖt
theirs. While some false claims are just mistakes caused by automated systems,
the MediaMuv case is a perfect example of how fraudsters are also purposefully
taking advantage of digital copyright rules.
YouTube attempts to be cautious with who it provides CMS and Content ID
tool access because of how powerful these systems are. As a result, independent
creators and artists cannot check for these false copyright claims nor do they
have the power to directly act on them. They need to go through a digital rights
management company that does have access. And it seems like thieves are doing
the same, falsifying documents to gain access to these YouTube tools through
these third parties that are ΓÇ£trustedΓÇ¥ with these tools by YouTube.
** *** ***** ******* *********** *************
Remotely Controlling Touchscreens
[2022.08.16] This is more of a demonstration than a real-world vulnerability,
but researchers can use electromagnetic interference to remotely control
touchscreens.
From a news article:
ItΓÇÖs important to note that the attack has a few key limitations.
Firstly, the hackers need to know the targetΓÇÖs phone passcode, or launch the
attack while the phone is unlocked. Secondly, the victim needs to put the phone
face down, otherwise the battery and motherboard will block the electromagnetic
signal. Thirdly, the antenna array has to be no more than four centimeters
(around 1.5 inches) away. For all these reasons the researchers themselves admit
that the ΓÇ£invisible fingerΓÇ¥ technique is a proof of concept that at this
point is far from being a threat outside of a university lab.
EDITED TO ADD (9/12): The project has a website.
** *** ***** ******* *********** *************
Zoom Exploit on MacOS
[2022.08.17] This vulnerability was reported to Zoom last December:
The exploit works by targeting the installer for the Zoom application,
which needs to run with special user permissions in order to install or remove
the main Zoom application from a computer. Though the installer requires a user
to enter their password on first adding the application to the system, Wardle
found that an auto-update function then continually ran in the background with
superuser privileges.
When Zoom issued an update, the updater function would install the new
package after checking that it had been cryptographically signed by Zoom. But a
bug in how the checking method was implemented meant that giving the updater any
file with the same name as ZoomΓÇÖs signing certificate would be enough to pass
the test -- so an attacker could substitute any kind of malware program and have
it be run by the updater with elevated privilege.
It seems that itΓÇÖs not entirely fixed:
Following responsible disclosure protocols, Wardle informed Zoom about the
vulnerability in December of last year. To his frustration, he says an initial
fix from Zoom contained another bug that meant the vulnerability was still
exploitable in a slightly more roundabout way, so he disclosed this second bug
to Zoom and waited eight months before publishing the research.
EDITED TO ADD: Disclosure works. The vulnerability seems to be patched now.
** *** ***** ******* *********** *************
USB "Rubber Ducky" Attack Tool
[2022.08.18] The USB Rubber Ducky is getting better and better.
Already, previous versions of the Rubber Ducky could carry out attacks like
creating a fake Windows pop-up box to harvest a userΓÇÖs login credentials or
causing Chrome to send all saved passwords to an attackerΓÇÖs webserver. But
these attacks had to be carefully crafted for specific operating systems and
software versions and lacked the flexibility to work across platforms.
The newest Rubber Ducky aims to overcome these limitations. It ships with a
major upgrade to the DuckyScript programming language, which is used to create
the commands that the Rubber Ducky will enter into a target machine. While
previous versions were mostly limited to writing keystroke sequences,
DuckyScript 3.0 is a feature-rich language, letting users write functions, store
variables, and use logic flow controls (i.e., if this... then that).
That means, for example, the new Ducky can run a test to see if itΓÇÖs
plugged into a Windows or Mac machine and conditionally execute code appropriate
to each one or disable itself if it has been connected to the wrong target. It
also can generate pseudorandom numbers and use them to add variable delay
between keystrokes for a more human effect.
Perhaps most impressively, it can steal data from a target machine by
encoding it in binary format and transmitting it through the signals meant to
tell a keyboard when the CapsLock or NumLock LEDs should light up. With this
method, an attacker could plug it in for a few seconds, tell someone, ΓÇ£Sorry,
I guess that USB drive is broken,ΓÇ¥ and take it back with all their passwords
saved.
** *** ***** ******* *********** *************
Hyundai Uses Example Keys for Encryption System
[2022.08.22] This is a dumb crypto mistake I had not previously encountered:
A developer says it was possible to run their own software on the car
infotainment hardware after discovering the vehicleΓÇÖs manufacturer had secured
its system using keys that were not only publicly known but had been lifted from
programming examples.
[...]
ΓÇ£Turns out the [AES] encryption key in that script is the first AES
128-bit CBC example key listed in the NIST document SP800-38A [PDF]ΓÇ¥.
[...]
Luck held out, in a way. ΓÇ£Greenluigi1ΓÇ¥ found within the firmware image
the RSA public key used by the updater, and searched online for a portion of
that key. The search results pointed to a common public key that shows up in
online tutorials like ΓÇ£RSA Encryption & Decryption Example with OpenSSL in
C.ΓÇ£
EDITED TO ADD (8/23): Slashdot post.
** *** ***** ******* *********** *************
Signal Phone Numbers Exposed in Twilio Hack
[2022.08.23] Twilio was hacked earlier this month, and the phone numbers of
1,900 Signal users were exposed:
HereΓÇÖs what our users need to know:
All users can rest assured that their message history, contact lists,
profile information, whom theyΓÇÖd blocked, and other personal data remain
private and secure and were not affected.
For about 1,900 users, an attacker could have attempted to re-register
their number to another device or learned that their number was registered to
Signal. This attack has since been shut down by Twilio. 1,900 users is a very
small percentage of SignalΓÇÖs total users, meaning that most were not affected.
We are notifying these 1,900 users directly, and prompting them to
re-register Signal on their devices.
If you were not notified, donΓÇÖt worry about it. But it does bring up the old
question: Why does Signal require a phone number to use? It doesnΓÇÖt have to be
that way.
** *** ***** ******* *********** *************
Mudge Files Whistleblower Complaint against Twitter
[2022.08.24] Peiter Zatko, aka Mudge, has filed a whistleblower complaint with
the SEC against Twitter, claiming that it violated an eleven-year-old FTC
settlement by having lousy security. And he should know; he was TwitterΓÇÖs
chief security officer until he was fired in January.
The Washington Post has the scoop (with documents) and companion backgrounder.
This CNN story is also comprehensive.
EDITED TO ADD: Another news article. Slashdot thread.
EDITED TO ADD (9/2): More info.
** *** ***** ******* *********** *************
Man-in-the-Middle Phishing Attack
[2022.08.25] HereΓÇÖs a phishing campaign that uses a man-in-the-middle attack
to defeat multi-factor authentication:
Microsoft observed a campaign that inserted an attacker-controlled proxy
site between the account users and the work server they attempted to log into.
When the user entered a password into the proxy site, the proxy site sent it to
the real server and then relayed the real serverΓÇÖs response back to the user.
Once the authentication was completed, the threat actor stole the session cookie
the legitimate site sent, so the user doesnΓÇÖt need to be reauthenticated at
every new page visited. The campaign began with a phishing email with an HTML
attachment leading to the proxy server.
** *** ***** ******* *********** *************
Security and Cheap Complexity
[2022.08.26] IΓÇÖve been saying that complexity is the worst enemy of security
for a long time now. (HereΓÇÖs me in 1999.) And itΓÇÖs been true for a long
time.
In 2018, Thomas Dullien of GoogleΓÇÖs Project Zero talked about ΓÇ£cheap
complexity.ΓÇ¥ Andrew Appel summarizes:
The anomaly of cheap complexity. For most of human history, a more complex
device was more expensive to build than a simpler device. This is not the case
in modern computing. It is often more cost-effective to take a very complicated
device, and make it simulate simplicity, than to make a simpler device. This is
because of economies of scale: complex general-purpose CPUs are cheap. On the
other hand, custom-designed, simpler, application-specific devices, which could
in principle be much more secure, are very expensive.
This is driven by two fundamental principles in computing: Universal
computation, meaning that any computer can simulate any other; and MooreΓÇÖs
law, predicting that each year the number of transistors on a chip will grow
exponentially. ARM Cortex-M0 CPUs cost pennies, though they are more powerful
than some supercomputers of the 20th century.
The same is true in the software layers. A (huge and complex)
general-purpose operating system is free, but a simpler, custom-designed,
perhaps more secure OS would be very expensive to build. Or as Dullien asks,
ΓÇ£How did this research code someone wrote in two weeks 20 years ago end up in
a billion devices?ΓÇ¥
This is correct. Today, itΓÇÖs easier to build complex systems than it is to
build simple ones. As recently as twenty years ago, if you wanted to build a
refrigerator you would create custom refrigerator controller hardware and
embedded software. Today, you just grab some standard microcontroller off the
shelf and write a software application for it. And that microcontroller already
comes with an IP stack, a microphone, a video port, Bluetooth, and a whole lot
more. And since those features are there, engineers use them.
** *** ***** ******* *********** *************
Levels of Assurance for DoD Microelectronics
[2022.08.29] The NSA has has published criteria for evaluating levels of
assurance required for DoD microelectronics.
The introductory report in a DoD microelectronics series outlines the
process for determining levels of hardware assurance for systems and custom
microelectronic components, which include application-specific integrated
circuits (ASICs), field programmable gate arrays (FPGAs) and other devices
containing reprogrammable digital logic.
The levels of hardware assurance are determined by the national impact
caused by failure or subversion of the top-level system and the criticality of
the component to that top-level system. The guidance helps programs acquire a
better understanding of their system and components so that they can effectively
mitigate against threats.
The report was published last month, but I only just noticed it.
** *** ***** ******* *********** *************
FTC Sues Data Broker
[2022.08.30] This is good news:
The Federal Trade Commission (FTC) has sued Kochava, a large location data
provider, for allegedly selling data that the FTC says can track people at
reproductive health clinics and places of worship, according to an announcement
from the agency.
ΓÇ£DefendantΓÇÖs violations are in connection with acquiring consumersΓÇÖ
precise geolocation data and selling the data in a format that allows entities
to track the consumersΓÇÖ movements to and from sensitive locations, including,
among others, locations associated with medical care, reproductive health,
religious worship, mental health temporary shelters, such as shelters for the
homeless, domestic violence survivors, or other at risk populations, and
addiction recovery,ΓÇ¥ the lawsuit reads.
** *** ***** ******* *********** *************
High-School Graduation Prank Hack
[2022.08.31] This is a fun story, detailing the hack a group of high school
students perpetrated against an Illinois school district, hacking 500 screens
across a bunch of schools.
During the process, the group broke into the schoolΓÇÖs IT systems;
repurposed software used to monitor studentsΓÇÖ computers; discovered a new
vulnerability (and reported it); wrote their own scripts; secretly tested their
system at night; and managed to avoid detection in the schoolΓÇÖs network. Many
of the techniques were not sophisticated, but they were pretty much all illegal.
It has a happy ending: no one was prosecuted.
A spokesperson for the D214 school district tells WIRED they can confirm
the events in DuongΓÇÖs blog post happened. They say the district does not
condone hacking and the ΓÇ£incident highlights the importance of the extensive
cybersecurity learning opportunities the District offers to students.ΓÇ¥
ΓÇ£The District views this incident as a penetration test, and the students
involved presented the data in a professional manner,ΓÇ¥ the spokesperson says,
adding that its tech team has made changes to avoid anything similar happening
again in the future.
The school also invited the students to a debrief, asking them to explain
what they had done. ΓÇ£We were kind of scared at the idea of doing the debrief
because we have to join a Zoom call, potentially with personally identifiable
information,ΓÇ¥ Duong says. Eventually, he decided to use his real name, while
other members created anonymous accounts. During the call, Duong says, they
talked through the hack and he provided more details on ways the school could
secure its system.
EDITED TO ADD (9/13): HereΓÇÖs Minh DuongΓÇÖs Defcon slides. You can see the
table of contents of their report on page 59, and the schoolΓÇÖs response on
page 60.
** *** ***** ******* *********** *************
Clever Phishing Scam Uses Legitimate PayPal Messages
[2022.09.01] Brian Krebs is reporting on a clever PayPal phishing scam that uses
legitimate PayPal messaging.
Basically, the scammers use the PayPal invoicing system to send the email. The
email lists a phone number to dispute the charge, which is not PayPal and
quickly turns into a request to download and install a remote-access tool.
** *** ***** ******* *********** *************
Montenegro Is the Victim of a Cyberattack
[2022.09.02] Details are few, but Montenegro has suffered a cyberattack:
A combination of ransomware and distributed denial-of-service attacks, the
onslaught disrupted government services and prompted the countryΓÇÖs electrical
utility to switch to manual control.
[...]
But the attack against MontenegroΓÇÖs infrastructure seemed more sustained
and extensive, with targets including water supply systems, transportation
services and online government services, among many others.
Government officials in the country of just over 600,000 people said
certain government services remained temporarily disabled for security reasons
and that the data of citizens and businesses were not endangered.
The Director of the Directorate for Information Security, Dusan Polovic,
said 150 computers were infected with malware at a dozen state institutions and
that the data of the Ministry of Public Administration was not permanently
damaged. Polovic said some retail tax collection was affected.
Russia is being blamed, but I havenΓÇÖt seen any evidence other than
ΓÇ£theyΓÇÖre the obvious perpetrator.ΓÇ¥
EDITED TO ADD (9/12): The Montenegro government is hedging on that Russia
attribution. It seems to be a regular criminal ransomware attack. The Cuba
Ransomware gang has Russian members, but thatΓÇÖs not the same thing as the
government.
** *** ***** ******* *********** *************
The LockBit Ransomware Gang Is Surprisingly Professional
[2022.09.07] This article makes LockBit sound like a legitimate organization:
The DDoS attack last weekend that put a temporary stop to leaking Entrust
data was seen as an opportunity to explore the triple extortion tactic to apply
more pressure on victims to pay a ransom.
LockBitSupp said that the ransomware operator is now looking to add DDoS as
an extortion tactic on top of encrypting data and leaking it.
ΓÇ£I am looking for dudosers [DDoSers] in the team, most likely now we will
attack targets and provide triple extortion, encryption + date leak + dudos,
because I have felt the power of dudos and how it invigorates and makes life
more interesting,ΓÇ¥ LockBitSupp wrote in a post on a hacker forum.
The gang also promised to share over torrent 300GB of data stolen from
Entrust so ΓÇ£the whole world will know your secrets.ΓÇ¥
LockBitΓÇÖs spokesperson said that they would share the Entrust data leak
privately with anyone that contacts them before making it available over
torrent.
TheyΓÇÖre expanding: locking people out of their data, publishing it if the
victim doesnΓÇÖt pay, and DDoSing their network as an additional incentive.
** *** ***** ******* *********** *************
Facebook Has No Idea What Data It Has
[2022.09.08] This is from a court deposition:
FacebookΓÇÖs stonewalling has been revealing on its own, providing
variations on the same theme: It has amassed so much data on so many billions of
people and organized it so confusingly that full transparency is impossible on a
technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a software
engineering manager, described Facebook as a data-processing apparatus so
complex that it defies understanding from within. The hearing amounted to two
high-ranking engineers at one of the most powerful and resource-flush
engineering outfits in history describing their product as an unknowable
machine.
The special master at times seemed in disbelief, as when he questioned the
engineers over whether any documentation existed for a particular Facebook
subsystem. ΓÇ£Someone must have a diagram that says this is where this data is
stored,ΓÇ¥ he said, according to the transcript. Zarashaw responded: ΓÇ£We have
a somewhat strange engineering culture compared to most where we donΓÇÖt
generate a lot of artifacts during the engineering process. Effectively the code
is its own design document often.ΓÇ¥ He quickly added, ΓÇ£For what itΓÇÖs worth,
this is terrifying to me when I first joined as well.ΓÇ¥
[...]
FacebookΓÇÖs inability to comprehend its own functioning took the hearing
up to the edge of the metaphysical. At one point, the court-appointed special
master noted that the ΓÇ£Download Your InformationΓÇ¥ file provided to the
suitΓÇÖs plaintiffs must not have included everything the company had stored on
those individuals because it appears to have no idea what it truly stores on
anyone. Can it be that FacebookΓÇÖs designated tool for comprehensively
downloading your information might not actually download all your information?
This, again, is outside the boundaries of knowledge.
ΓÇ£The solution to this is unfortunately exactly the work that was done to
create the DYI file itself,ΓÇ¥ noted Zarashaw. ΓÇ£And the thing I struggle with
here is in order to find gaps in what may not be in DYI file, you would by
definition need to do even more work than was done to generate the DYI files in
the first place.ΓÇ¥
The systemic fogginess of FacebookΓÇÖs data storage made answering even the
most basic question futile. At another point, the special master asked how one
could find out which systems actually contain user data that was created through
machine inference.
ΓÇ£I donΓÇÖt know,ΓÇ¥ answered Zarashaw. ΓÇ£ItΓÇÖs a rather difficult
conundrum.ΓÇ¥
IΓÇÖm not surprised. These systems are so complex that no humans understand them
anymore. That allows us to do things we couldnΓÇÖt do otherwise, but itΓÇÖs also
a problem.
EDITED TO ADD: Another article.
** *** ***** ******* *********** *************
Responsible Disclosure for Cryptocurrency Security
[2022.09.09] Stewart Baker discusses why the industry-norm responsible
disclosure for software vulnerabilities fails for cryptocurrency software.
Why canΓÇÖt the cryptocurrency industry solve the problem the way the
software and hardware industries do, by patching and updating security as flaws
are found? Two reasons: First, many customers donΓÇÖt have an ongoing
relationship with the hardware and software providers that protect their funds
-- nor do they have an incentive to update security on a regular basis. Turning
to a new security provider or using updated software creates risks; leaving
everything the way it was feels safer. So users wonΓÇÖt be rushing to pay for
and install new security patches.
Second, cryptocurrency is famously and deliberately decentralized,
anonymized, and low friction. That means that the company responsible for
hardware or software security may have no way to identify who used its product,
or to get the patch to those users. It also means that many wallets with
security flaws will be publicly accessible, protected only by an elaborate
password. Once word of the flaw leaks, the password can be reverse engineered by
anyone, and the legitimate owners are likely to find themselves in a race to
move their assets before the thieves do. Even in the software industry, hackers
routinely reverse engineer MicrosoftΓÇÖs patches to find the security flaws they
fix and then try to exploit them before the patches have been fully installed.
He doesnΓÇÖt have any good ideas to fix this. I donΓÇÖt either. Just add it to
the pile of blockchainΓÇÖs many problems.
** *** ***** ******* *********** *************
New Linux Cryptomining Malware
[2022.09.12] ItΓÇÖs pretty nasty:
The malware was dubbed ΓÇ£ShikitegaΓÇ¥ for its extensive use of the popular
Shikata Ga Nai polymorphic encoder, which allows the malware to ΓÇ£mutateΓÇ¥ its
code to avoid detection. Shikitega alters its code each time it runs through one
of several decoding loops that AT&T said each deliver multiple attacks,
beginning with an ELF file thatΓÇÖs just 370 bytes.
Shikitega also downloads Mettle, a Metasploit interpreter that gives the
attacker the ability to control attached webcams and includes a sniffer,
multiple reverse shells, process control, shell command execution and additional
abilities to control the affected system.
[...]
The final stage also establishes persistence, which Shikitega does by
downloading and executing five shell scripts that configure a pair of cron jobs
for the current user and a pair for the root user using crontab, which it can
also install if not available.
Shikitega also uses cloud hosting solutions to store parts of its payload,
which it further uses to obfuscate itself by contacting via IP address instead
of domain name. ΓÇ£Without [a] domain name, itΓÇÖs difficult to provide a
complete list of indicators for detections since they are volatile and they will
be used for legitimate purposes in a short period of time,ΓÇ¥ AT&T said.
Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux
endpoint and IoT device managers keep security patches installed, keep EDR
software up to date and make regular backups of essential systems.
Another article.
Slashdot thread.
** *** ***** ******* *********** *************
FBI Seizes Stolen Cryptocurrencies
[2022.09.13] The Wall Street Journal is reporting that the FBI has recovered
over $30 million in cryptocurrency stolen by North Korean hackers earlier this
year. ItΓÇÖs only a fraction of the $540 million stolen, but itΓÇÖs something.
The Axie Infinity recovery represents a shift in law enforcementΓÇÖs
ability to trace funds through a web of so-called crypto addresses, the virtual
accounts where cryptocurrencies are stored. These addresses can be created
quickly without them being linked to a cryptocurrency company that could freeze
the funds.
In its effort to mask the stolen crypto, Lazarus Group used more than
12,000 different addresses, according to Chainalysis. Unlike bank transactions
that happen through private networks, movement between crypto accounts is
visible to the world on the blockchain.
Advanced blockchain-monitoring tools and cooperation from centralized
crypto exchanges enabled the FBI to trace the crypto to where Lazarus Group
tried to cash out, investigators said.
The money was laundered through the Tornado Cash mixer.
** *** ***** ******* *********** *************
Weird Fallout from Peiter ZatkoΓÇÖs Twitter Whistleblowing
[2022.09.14] People are trying to dig up dirt on Peiter Zatko, better known as
Mudge.
For the record, I have not been contacted. IΓÇÖm not sure if I should feel
slighted.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2022.09.14] This is a current list of where and when I am scheduled to speak:
IΓÇÖm speaking as part of a Geneva Centre for Security Policy course on
Cyber Security in the Context of International Security, online, on September
22, 2022.
IΓÇÖm speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on
September 22, 2022.
The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright © 2022 by Bruce Schneier.
** *** ***** ******* *********** *************
--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 - binkd.thecivv.ie (618:500/14)
|
Computer Support/Help/Discussion... 
