Firmware, Fire and the Future of Cybersecurity | Smoked Manhattans with Paul Asadoorian

Welcome to the Security Cocktail Hour. I'm Joe Patti.

Insert your name here.

Insert your name here. You're Adam Roth. How are you doing today, Adam?

Thanks for letting me know because I was a little bit surprised.

Yeah, I'm on top of things if you are. Yes, sir. Today, we have a very special guest. We have a luminary, a security podcasting legend, dare I say. Paul Isidorian. Paul, welcome to the show.

Hey guys, good to be here. Thank you so much for having me on the show. I love talking to you guys, I love doing podcasts, and I love drinking while I do podcasts, so this was a match made in heaven.

Alright, and what are we drinking today? Let's get right down to business.

So yeah, I was just kind of getting set up. I wanted to make a cocktail, so just pretend that we're making a Manhattan, except I'm just going to use bourbon.

I've got mine pre-made, so...

I'll give a shout out to the fine folks at Corn Con that gave me a bottle of bourbon. I actually wrote the dates of the conference on the back of it, so I would read it on the show. So they totally social engineered me into plugging them. So my whole thing is now, if you want me to talk about your conference on any podcast, you're just going to send me a bottle of bourbon. So this is Corn Con Vintage 2024. Their conference is October 11th through 2025. I think I'm obligated to read that every time I drink it on the show.

I think so, but you've been podcasting longer than us. Is it in bad taste for us to then... you know, go after them for some sponsorship money. I was just going to say that.

Yeah, absolutely we should. We should. That's right. And they'll send you a bottle of bourbon. What's better than that?

What's better than that?

Yeah. Again, pretend this is a Manhattan. So what I do is I've got these little cocktail smoker things. So this is what I've been doing on my podcast recently. And so you put that on the top of the glass, and then I even got like a special fancy torch. And then you torch it with some wood chips. I'm using cherry wood. I forget the company, I don't know, I bought this on Amazon, so you don't have to be fancy. And you put a little fire to it, and then you get this little cap thing on here, and you just kinda, you let it smoke. So I'm into like the smoked cocktails, or you can just use bourbon, like I'm doing. And you just let that sit for a little while, and then you take it off there, and it gives it a nice smoky flavor.

We're gonna have to change the name. Yeah, really.

I was going to say, I thought I was hardcore, because we have the official security cocktail hour martini glasses here for my Manhattan.

Is that a dirty martini?

No, it's a, well, it's a Manhattan, actually. That's why it's dark. Not with the smoke.

Not with the smoke. Yeah, good for you.

I was lazy. I didn't break out all the ingredients. Not that there's that many in a Manhattan.

Yeah, but you got the smoke thing. Man, that's complicated. I thought I was cool with the branded glass, but you know, you got fire in your act. That's right. That's better than anything. Bringing the fire.

You don't have to recut this, Joe, but let's start this again. Ready? Welcome to the Smoke Security Cocktail Hour. I'm Adam Roth. That's right.

Yeah, so we're just kind of, you know, letting it steep in there and then I'll take that off and it gives it like a nice effect. You can also get the ones where you put your whole glass inside of like a glass container with a tube and it's got like a little pump thing and you burn the stuff and it pumps it. That's like really fancy. I like these here in the studio. They, they tend to work well. So cheers. Cheers. Good stuff. Yeah, absolutely.

So Paul, you do a lot of interesting stuff. And from what I understand, your thing is the whole hardware hacking thing and all that stuff. But I know a lot of people, I want to say just flat out neglect, and they probably shouldn't. Because I think a lot of people in security just really don't understand it. They don't know how to deal with it.

or they don't want to deal with it. You know, it's interesting in a lot of what I do, right? So I'm currently the principal, a principal security researcher at a company called Eclipsium. I'm almost three years in Eclipsium and I joined Eclipsium for a number of reasons. One, they were actually a sponsor of my podcast. So I knew, I knew many people on the team and I was looking to make a transition in my career and I had to start making a list, right? I'm like, What do I want to do? And I'm like, I want to work with firmware, hardware security. I'm like, but I want to, I want to like make a difference. I want to tackle problems that are in the enterprise. Right. Cause I've done a lot with IOT stuff for consumers and that's like a whole different ball of wax. And Eclipsing was like that perfect fit. Right. Um, where we're focused on and where I wanted to be was focusing on these dusty corners. Someone used that analogy with me when I first started in 2004 and said, Paul, you got to be the person that goes in the dusty corners, cleans those up for people, earns their respect, helps them clean up things they didn't know they needed to clean up. And that's kind of a way to build trust with someone that you want to do business with. And I kind of flipped that into, well, there's a lot of dusty corners in security. And I think these hardware and firmware components that are in every device that we use, your PC servers, laptops, web cameras, whatever it is. And I'm like, this is a whole attack surface that, as you said, Joe, right, that people don't pay attention to. They don't often fully understand. I'm like, this is where I want to do research. This is where I want to have a solution where we can help people with this attack surface that attackers know about, certainly. But we as an industry don't always, across the board, vendors, enterprises don't do a great job at securing. And it's interesting, once I got at Eclipsium, I started looking at what we did. And I was like, you know, I think I'm like, I'm pretty good at protecting my own stuff, keeping my stuff up to date on patches and updating my firmware. And I got, you know, our software on one of my systems. And it was like, well, you don't have a UEFI update. Uh, you know, you're out of date and there's vulnerabilities with your UEFI BIOS, right? UEFI is the predecessor to traditional BIOS. I was like, well, that's interesting. I'm like, how do I update that? And so I go to my manufacturer's site and there's no update for it. And I'm like, wow, I thought I was good at security. Turns out I was ignoring this dusty corner as well. I'm like, well, I'm in the right place. And I ended up writing a three-part blog series when I first joined Eclipsium about all of this previous research, about all these things and all these basically dusty corners that live in all of our devices, particularly PC servers and laptops, right? It is one thing we do network devices and appliances also have like largely firmware based and you know we've seen a proliferation of course of vulnerabilities in Palo Alto, Juniper, Fortinet, Cisco, I mean the list goes on we see not just the vulnerabilities, but attackers going after this attack surface, because there's a lot of reasons for that, right? Low visibility, it's great points in the network to be on, attackers gain stealth, they gain persistence. So that's kind of, you know, that's my day job in a nutshell.

I can definitely add two things in there, right, Paul? So three things. One, when I used to work for Joe, And I don't want to mention where, just for that reason alone, but obviously people can figure that out. But when you start implementing technology, those dusty cornies come to surface. Like, oh, my God, we didn't know we had a problem here. The second thing is, Joe and I have worked with certain companies where they were former Intelligence military for a country and they always talk about. We used. You know, we live with the land and it's Linux. It's firmware. It's, you know, we, we can use all the Linux tools in there and we can move laterally. as far as we want. And then what we also talk about, right, is the routers and the cameras and everything else that uses Linux. Very rarely are they updated. But the last thing I'll say is this. I used a certain router that I wanted to use. I got it at a great price. I was so happy to get it. And I went back to that company. And it's an enterprise company, and we all know the name. And I said, hey, can I get an update? No, you can't. If you want it, it's a subscription. It's $300 a year.

It's expensive.

Yeah, your device is worth $59 retail. We're not going to give it to you for free. So I'm like, I'm never using your technology again.

Right, right. I want to harp on the, Adam, you mentioned the ILOs, and that's a big area of research for us at Eclipseum, is the BMCs, Baseboard Management Controllers, right? ILO's the one from HP, Dell has the iDRAC, and there's a lot of different, you know, flavors. You got OpenBMC, we could do a whole hour on this whole landscape, right? But to distill it down, what I love to say, because I love this show back in the early 2000s, right? Like you love computers so much, I put a computer inside your computer. And that's what your BMC is. And it's not just a computer inside your computer. It's got these tentacles inside the hardware that give it full access to everything in your computer, independent of your computer. Now, obviously we know as IT admins, that's a great benefit. If I need to rebuild the system remotely, I can connect the computer inside your computer and I can do things. But from an attack surface standpoint, largely, these are ARM-based processors that run Linux. And there's a huge attack surface. Not only that, once you gain access to one of these BMCs, you have the highest level of privilege on that system. Because not only you're independent of the operating system, you're independent of UEFI, you're independent of all of these other subsystems and security controls inside that hardware. So this is like where the hackers want to be if they want to take over your systems. One of our researchers, Vlad, talks about a script he wrote, which he hasn't released, thankfully, but essentially sends your computer, your server, into an infinite reboot loop in the BMC. And there's really no way to stop it, other than physically interfacing with the hardware to recover it. There's no way to stop it. So if you want to cause physical damage, there was a paper about causing physical damage, basically making a computer like melt down through this access to the BMC, and you want to maintain stealth and persistence, that's the place to be. Right? Right. Yes.

A lot of people don't want to add it because it complicates that out-of-band network.

Well, years ago, those were the safest networks. Used to love them, would be like, that's the tightest network, there's nothing on it but here, you SSH across it. But then, like I said, they started getting more sophisticated, like they basically became Linux machines, and they hooked them up for remote access, so people could VPN recidivism to it. And then, it's a regular network.

One of my favorite moments on a penetration test was, it was we talked about network access to these BMCs. Some people exposed them to the internet, like that's super bad. Right. Other folks may not have them all separated onto their own network, and they end up on whatever network that your workstations are connected to. It was on a pentest, connected to an iDRAC server, and it had a default password. So I logged into the iDRAC and then it was like, well, give me a terminal session on the host operating system. It's like, oh yeah, I can do that. That's built-in, that's a feature. When I logged in, it was a Linux system and I was sitting in a root prompt. because whoever, whatever administrator before had used that session had logged in as root and left it. So I basically reused their session. So I was like, you know, the first, uh, you know, after the first initial scan, I went to my contact, I'm like, I'm root on one of your Linux servers. They're like, how did you do that so fast? I'm like, let me tell you about iDRAC.

Well, I, I always laugh. Like, um, I would say on an enterprise network, is, I shouldn't be saying this because I'm probably speaking out of turn, but there's a 100% chance you're going to find a password and username once you have even regular access. And you do a scan of the network, you're going to find it on a notepad somewhere, and you're going to find the draft that's even changed because somebody put it into a spreadsheet that doesn't want to use a password account manager. And I think pretty much, and you've done this, right? Anybody who does IR, anybody who does pen testing, pretty much can find a password on a network, on a loophead somewhere.

Yeah, yeah. If it's not the default, if it's not easily guessable, maybe it's in some other file or data that I've encountered, you know, in my penetration test, or an attacker would, you know, on when they're compromising a network. But that aside, vulnerabilities in the BMCs are super, like, bad. Like, some of them are just bad. So there's, one of the big research projects we took on was a three-port series that we have now. And a lot of it focuses around Redfish. And Redfish is essentially that API standard that's implemented inside of your BMCs. And so you end up with this basically a web application that is governing access to the BMCs. Now, from a process and IT support standpoint, it's a great win, because now I can interface with this API, I can manage all of my servers, I can update them, and it's great. But from an attacker standpoint, now I can attack a web application in order to gain access to a BMC. And so Vlad is the researcher at our company, Vlad Babkin, he's amazing. has documented and discovered several vulnerabilities that abuse Redfish in order to gain unauthorized access, to escalate privileges, to take advantages of flaws in the implementation of this Redfish API.

Oh, you got to know that's going to happen. Because I mean, as soon as you say, oh, we'll put a web interface on it, you know, kind of the textbook says, well, that's okay if it's done well and it's written well, which you know, it's not going to be, it's going to be something that's been slapped together. Yeah.

In a lot of cases, I mean, there are. It's not public yet, but it will be soon. And I'm realizing there's different levels of companies that are protecting this sensitive area of our networks, and some are better at it than others. And so there are some that are the shining example of how you need... Yes, do they have vulnerabilities? Sure, and they fixed them. But they're also paying attention to the supply chain, to all of the dependencies, and fixing those vulnerabilities, providing SBOMs for the firmware that's inside of these things. Upon request, if they backported a fix, and it doesn't show up in an SBOM, they produce that list as well so that you know exactly what's being fixed and what level of security you're at for that given firmware. Because some vendors are doing a great job. Some are not. And there's everyone in between. And we need to Make sure we're making the example of the people that are, we can talk about how firmware and BMC is typically have shoddy code and have a lot of vulnerabilities, but there are ways to fix that, that we know how to do, and some are actually doing it. And those folks need to be the leaders in the model that we follow.

All right. So I've got to put you on the spot. I'm not going to ask you to name names, but of the enterprise vendors who have this, the big ones, I mean, what percentage of them would you say are doing a good job or taking it seriously?

Yeah, so it depends on like what tier, right? In terms of BMCs, I think there's a very small percentage that are doing it truly well. Most of them are not keeping that Linux distribution updated, if they are, not to the same level that some are, right? So I think the majority of them have a lot of work to do to adopt that SDLC, to adopt the processes that allow them to produce a really secure implementation. So in our assessment, because we looked, a lot of them have a lot of work to do.

So I'm going to make a comment and then I'm going to ask a question. The comment I'm going to make is just because there's vulnerabilities in a certain hardware does not mean, and even if you don't know it, it does not mean that you can't protect it. Everything's about mitigation. Nothing's 100% able to be blocked. But microsegmentation is your friend, right? If you know that you only have certain ports, certain sources, certain destinations, you can limit that attack surface using microsegmentation. And a lot of people don't do it. One, because it's probably another person that they have to train and keep up to it and manage it. But the second reason probably is because people don't want to spend the money. My question to you is, Speaking of hardware, speaking of vulnerabilities, what are your thoughts about the tracking hardware that you could turn on the feature in firmwares of laptops mostly to find out where that laptop is? Do you think people take advantage of doing that lowjack on the laptop or people just don't?

There was a big piece of research that Eclipsium released before I joined that was analyzing lojacks. I believe they did that in collaboration with someone else and found vulnerabilities in that tracking software. It was a long time ago, I don't remember all the details about it, but it was... If you go on Eclipsium site, you can read about it. It's actually fascinating. It was one of the great pieces, like one of the things that made me want to join Eclipsium, right? I was like, you guys are doing awesome stuff. Like you're thinking about how can an attacker abuse the tracking software, right? That's built in, that was being built into. I think vendors have largely gotten away from that. I haven't looked into that in some time.

Me either, but I know at one point it was embedded in a lot of laptops and it was off. And then I, again, I'm not an expert at this at all, but people claim that they were able to turn that on if they had physical access to that machine and physical access. If they had remote access to the machine, they can enable that BIOS feature without even going into the BIOS, turning it on and finding where the machine is. But these days, GPS is so easy. You know, you write a little software code, you know, somebody hits a wire and now you know where the machine is.

A lot of it comes down to knowing what you have and knowing what's enabled. And, you know, that's, it's one of the interesting things. Like, again, when I started looking into what's under the covers in my laptop, what loads before the operating system, I was like, wow, there's so much stuff here. Like, how do I keep track of all the components that I have? Like, even just the number of components. Do I have tracking software enabled? Do I have this component, that component? Is it vulnerable? Does it need to be updated? In addition to all the stuff we have to do in the operating system and above, which keeps us all busy, underneath all of this stuff is a whole other attack surface that I gotta know everything. What's my microcode on my CPU? We just covered an article on the show about a Rapid7 researcher that developed ransomware that lives inside of the CPU microcode. How do you detect? That's some next level stuff that's pretty awesome.

And I saw on LinkedIn, they were talking about malware code sitting inside of printers too. But that's been a long time, but now it's come back.

All right, so let me ask you this then. So yeah, we got these, that low level stuff. It's basically a Linux machine now can get ransomware. Well, you know, we know how to secure Linux. There are a lot of tools for it. I mean, are there any tools? I mean, is there at some point, is there going to be an EDR for your...

I mean, that's what Eclipsium and other companies are working on, is the EDR for these devices. I think one of the things that's super interesting along these lines is my co-host Sam Baum brought this up on a show, and he was like, you know, Well, you talk about these Linux systems that are inside your computer and these small devices. Because it's so small and embedded, you know what should be running on there. You know what the kernel should look like. You know what all the binaries are. You know what was in your firmware package. Why can't you implement a root of trust that says, well, any other software that tries to come on the system, it's invalidated. It's not going to run because we're going to sign everything that runs inside of the firmware. Anything new, shouldn't run, because it's not a desktop. There's no user on it that goes, oh, I need Chrome and Firefox and all these other utilities. This is an embedded system, right? It's a purpose-built system to provide a very specific function. Therefore, The firmware should cryptographically verify everything that's allowed to run and everything else. Why do I need to run everything else is malicious. And I would love to see adoption of this, a standard that allows us to build Linux based firmware devices that implement something like this. I've not seen it. It might exist. I mean, there's probably academic papers that talk about it. I believe there are. I actually think Sam remembers reading papers about it. I'd love to see more adoption of this because what we're doing is we're trying to glom on something externally and go, let me go look for everything that shouldn't be there. When in reality, these small systems, we know what is an anomaly because it's not part of what we intended to put on it.

Yeah, I mean, but we're kind of going down the same road with these things that are supposed to be small and tight and purpose-built. And, you know, remember years ago you hardened something, so a PS has 12 lines or something, you know, everything that's running. But now, They're getting bigger, and they're getting more complicated. Like you say, they got a web interface on it now, and all of a sudden, it's not such a simple, tight little thing anymore. It's becoming more and more like a full-on computer.

Well, Moore's Law kicks in, right? So, it's interesting. I don't like to toot my own horn and say I had a crystal ball, but there's a but there. Fifteen years ago, I gave a presentation at BrewCon called Embedded Device Hacking and My Plot to Take Over the World. And in that talk, I outlined why attackers would want to go after these small devices, what benefits that had to them, how they could utilize the infrastructure in these devices to, you know, and I kind of theorized like, remember Pinky and the Brain? We're like dating ourselves now, right? Younger folks don't remember Pinky and the Brain. They need to go look that up. Their whole thing was they wanted a cartoon that they want to take over the world. I was like, well, what do you need to take over the world? You need money, you need power. I had like respect and then I was going into the whole Scarface kind of quote, right? But basically the two fundamental building blocks are money and power. Well, how do you do that? How do you monetize these devices? And I gave examples of how you discover these, how you target these devices, how you monetize, examples of folks that have monetized that. It's still going on today. We covered a story just tonight. that talked about how the US has indicted four Russian hackers because they built a proxy network. They compromised IoT devices, put proxy software, and then were selling that. It was like an automated billing subscription service that they built. And it was somewhere between $19 and $100 a month, and you could rent this. And if you wanted to conduct malicious activity on the internet, you don't want to go to a commercial VPN provider because they might cancel your account. You come to the Russians and they're like, oh, we got you. Give us 20 bucks a month, we'll give you access to these proxy servers that are running these small IoT devices. They compromised tens of thousands of these and made... I mean, do the math. If they compromised tens of thousands and they were renting it out, they were making a lot of money off of it.

Is that a proxy as a service?

A proxy as a service, yep. That's all they were doing. And that's, I mean, the three of us could, we could conspire and we could do the same thing, right? With our collective knowledge, we could be like, ah, we could compromise devices, put proxy software on it and rent it out.

It'd be awesome.

It's a great business model.

It's like squatting.

Yeah. So let's take a little bit of a turn, right? Our Android phones, our apple or iphones for lack of a better term pretty much android pretty much android operating systems they got the camera exposed they got the microphone exposed all you need to do is just have someone take a piece of software allow mic access allow you know a camera access you know and somebody's already in there right and then you can move laterally from the Bluetooth or from the near proximity or from the NFC or the wireless and move on to a machine. Because a lot of the times Bluetooth, they say it's getting better, but how much better is it getting, right? So once you compromise a phone and you're near a PC, and you're in good proximity, there's a good chance you could move laterally, right? That's what nation states are doing, right?

There have been some discussion, I have like vague memory now of discussions about attackers compromising things like a phone and then moving laterally via other protocols, Wi-Fi, Bluetooth, whatever it is, right? I don't think we've seen a huge proliferation of that, but it's something we have always been concerned about in terms of how do I get on the inside of a network. Yeah, most people are phishing or using other mechanisms, but if I can compromise a device, like a phone, and then move laterally, or... There was another one, we were talking about the Russians with a... they compromise a Wi-Fi access point and use that to pivot. And there's been like these small examples over the years, Adam, to highlight what you're talking about. We haven't seen a lot of it, but we have seen these interesting pivots in all these devices. Because as we established, there's a lot of compute power in the devices we carry in our pockets, in the web cameras, in the surveillance camera, whatever it is. There's a lot more compute power in these devices today that attackers can use to move around on your various networks.

Well, I think they also look for the targets that aren't, you know... secured as well. You know, remember the APT days 15 years or so ago, it's like they couldn't get through firewalls, so they started compromising endpoints to get in. You know, now, like you said, they're going after, you know, firewalls and devices like that because they realized, hey, they may be security devices, but they're actually not always written any better. They're just going to go for, one thing gets hard, they're going to find something else.

They're just Linux PCs at the end of the day.

Most of these modems that you get from the cable company that they install, They have the full passwords and usernames. You don't have to even worry about the router unless they're integrated. But I'm like, well, just type this username and password and go, it's the same password and username for everybody. Yeah, you know.

It's interesting, one of the things I talked about over the years, so like Larry Pesce and I, my dear friend Larry, he wasn't here in studio tonight, he was actually teaching remotely, right? But normally he's been with me for 20 years, and we wrote a book together in 2007. And one of our things, like once we wrote the book about how to use WRT54GE routers to like do hacking kind of stuff, we were like, well, let's flip the tables. What if attackers attack these devices? And one of the core concepts we came up with was, okay, why would someone want to compromise a router, a printer, or one of these devices? And we're like, look, There's no monitor, mouse, and keyboard on these devices, which also means there's no user sitting in front of the PC. So when you look at an endpoint device, your laptop, desktop, there's a user sitting in front of it that is observing things. When you compromise a device, like a printer, as an example, There's no user on that system. There's no monitor, there's no mouse, there's no keyboard, there's no user interface, maybe like a tiny little screen. So an attacker can hide much more easily on these devices. You fast forward that to today, that's exactly what attackers are doing. They're like, oh, your VPN appliance, it's hanging out on the internet because it has to hang out on the internet that doesn't have an active user on it that, by the way, runs Linux. is totally susceptible and it's in a central point in the network where it has access to the internet. It also has access to your internal network. Well, no wonder they're a juicy target today. It's a perfect storm for attackers.

And it's funny you bring that up also, right? Because a lot of these things are funny. When I was working with Joe, somewhere. We had this pen test, but what they did was they moved laterally purposely. I mean, they had some privileges purposely to shorten the time, but they were able to move from somebody's personal machine, meaning Joe's personal machine, take a cookie and move through a tunnel into an enterprise infrastructure. So the point I'm making is, it's if you want to get into an enterprise, compromise a person's personal router, move laterally to that machine, and then find a way to tunnel through that tunnel, right?

Oh, yeah. As I look at it now, you know, I mean, I got this. Is it popped? I have no idea. And frankly, I have no way of figuring it out. I mean, if it doesn't log, you can't run anything on it. Who the hell knows?

Yeah, I'm a big fan of, I like PFSense and OpenSense as my firewall operating system, right? It's based on BSD. It's one of the most tried and true TCP IP stacks in existence today. Still actively maintained. all kinds of updates. You can run it on a whole host of PC hardware that's not expensive at all. But that's like a nerd's solution, right?

I did that when I was a lot younger before I had kids, put it that way, and I had the time to work on that shit.

So I bought one of those Zima boards, like these tiny little PC-based architecture. I got it on like a Amazon Prime Day or Black Friday deal. It was like 30% off or something like that. And I put OpenSense on it, and that became my firewall. And I'm like, that's great for me. A nerd who knows how to go find the right hardware, knows about the firewall software, can keep it up to date. That's great. What do we do for the rest of the population? So Paul's grandiose plan, as I call it, for securing these routers, right? Because we've got a huge problem in terms of now there's so many of these routers on the internet and so many of them are end of life and not getting updates and contain a lot of vulnerabilities. whether that's vulnerabilities in the software or just default credentials that let attackers in, they're end of life and they're not getting updates. And attackers are, I mean, there's dozens of articles even recently about this exact behavior going on, attackers going after these end of life routers. How do we fix this problem here in the US? And so my grandiose plan is to just throw money at the problem. And my co-hosts tell me this is communism, but I'm like, look, Everyone who has one of these routers needs an ISP to get connected to the internet. So you've got that relationship that you can build on. So what if we were to just give ISPs a whole bunch of money, some grant funding, government tax dollars, whatever it is, and be like, look, you need to take this money and build a program that identifies people who have end of life routers and you need to get them a new router. However you incentivize them. free month of internet, zero cost or low cost router replacement, will come out to your home and replace the thing for you kind of thing. To me, that's the only way we solve this problem. Right? Your family and like grandma's not going to be rushing out to the store to go replace their router because it's end of life. They have no idea. that they even have a router, let alone what it is, what it's running, if it's end-of-life or vulnerable. They just got this old crusty thing that's collecting dust somewhere in the corner. I believe the ISP is the opportunity to help go replace these systems.

I solved it, Paul. You can say thank you. So when you go out to buy a refrigerator or a or air conditioner or something, you get energy savings. And when you buy energy savings appliances, you can take it off the tax credit. So if your router is less than a year or two years old, you send the certificate that comes with it, and you can write it off on your taxes or something like that.

But I love your idea because you're in the same mindset as I am, right? If we were in the same room, I'd give you a hug right now. Virtual hug. We're talking about incentives, right? We have to incentivize ISPs and users to update this gear. Right now, there is zero incentive. for anyone to update anything, because they're like, whatever. Like, if Russians are proxying through my network, as long as my internet's working, I don't care. We have to build incentives to update what I deem as critical infrastructure here in the U.S. Because if an enemy nation-state wants to cause a bad day for the U.S., this is one way to do it, right?

Well, I'll tell you what I think, and you know, to be honest, I'm a bit of a... Yeah, what's Joe's plan?

You've heard Paul's plan, you've heard Adam's plan. I think they're both great plans. No, I'm talking about the ISPs,

greediest fricking companies in the world. They'll charge you 30 bucks a month to rent a router that's end of life and that works like crap and all that stuff. Well, you know what? They are getting revenue off these things. I mean, and I'm not big on regulation, but let's pass a regulation that at least the ISP you can't be charging someone every month for something that's in the life.

And that's out there.

I love that, Joe.

That would eliminate a huge amount of stuff, just like that.

I think, but Joe, you bring up a great point. I believe regulation has to play into this as well, right? As much as we hate regulation, it needs to be smart regulation that helps us get there. And I love that.

Yeah, well, I hate regulation. I mean, the other side of it is to say, okay, if they don't do it, give them some liability that says, okay, if you're renting this shit out, And it's used, you know, there's going to be some penalty for it, which is not going to happen. You almost need both. You need both. But it's the Robert Levin law, Joe.

The Robert Levin law. I love it. I love it. Look at this. We're solving the world's problems right now. We got it.

I'm a congressman.

I'm going for a doctorate. I was in a concentration on ethical warfare. I think I'm going to concentrate now on improving the robbery situation in the United States to reduce the tax surface.

I love it. I love it. Next round, we're going to solve software security. We'll be good. We got it. That's a big problem.

Are we charging for this podcast instead now? I'm kidding. Look, you know, that's one of the things I see put out a lot lately by InfraGard, you know, the FBI's InfraGard. They're constantly talking about and so a lot of people are talking about the people that are not talking about it. And the manufacturers of the riders and switches and protocols. There's so many CBEs out there that if you stack the CBEs, you'll be able to climb the stairs to the moon. But that's the truth, right? You know, that's 1 of the biggest issues we have. I do not see companies, and if I'm wrong, call me out. I do not see companies forcing these updates, pushing these updates, alerting you to these updates, saying, guess what? You haven't updated one of these companies. I had a problem with a certain router company. They were very nice people, and I said, I haven't seen an update on your router in two years. Wow, By the way, the next day, we came out with a new update. I'm like, did I trigger an update for another company? Because I complained. You know what I'm talking about, Joe, right?

Yeah. I forgot about that. That's right.

They came up with it. And then I said, Okay, they said, give me a short run. I'm like, how do I do a short run? I don't see any commands on this router to do a short run. Send us the bin file and give us your password and username so we can put this bin file on somebody, another router in the lab. I go, that's your answer?

Wow.

I'm like, that was really scary to me that you wanted my password. Well, you know what? Change your password and username first, download the bin and give it to us. I'm like, oh my God, why can't you just have a regular short run?

Yeah. Well, that's the, so you hit on a point like moving to enterprise gear, network and security appliances. And my whole, like, it really grinds my gears, right? It's a family guy reference, right? Lindsay Lohan grinds my gears that these enterprise security companies provide you with a box. And they're basically like, look, you can't run any software on it. We're just going to give you a box and you're just going to trust us that we've done all of our due diligence to give you a secure platform. Go put this in your network. Go put it in the critical points of your network. Use it to protect your enterprise and just trust us. Everything under the covers is secure. And by the way, you're not allowed to do a shield run. You're not allowed to... hook into the kernel to do any kind of monitoring and any kind of advanced EDR or run software on it. Like when we get Windows, we don't trust that Microsoft has given us the best default configuration to run Windows. We implement group policy and we tweak that. And by the way, we put a lot of other software on top of that. We implement vulnerability management. We put EDR software on top of that. But when we get an appliance from a major security vendor, they're just like, yeah, just trust us. You don't need to run any other software on it. Just trust us. We can't give you access to the things under the covers. Just trust us. Also, when you lift the covers on these devices, which we've done collectively as the security research community, We're like, oh my God, this is terrible. There's a lot of vulnerabilities here. There's no way for us to monitor for malware or malicious activity on these devices unless we break them and root them and give physical access to get into the internals inside of them. And I'm like, this is not where we need to be. We need better visibility. We need the enterprise security vendors to give us access have some facility where we can have better visibility and do a better job of monitoring what's on these devices.

So, Paul, I have four letters for you, and I want to see your face when I say these letters to you. Ready?

I'm ready.

P-U-P-N-P. Oh, God.

Oh, Jesus. Oh, God. It's right up there with IPMI and these horrible protocols, right, that Oh, God. I mean, hopefully that's not an enterprise routers, but yeah, universal plug and play. I remember looking at that when we wrote the book, and I was like, this is horrible. And then subsequently there was a series of vulnerabilities, right? And also just Inherently, like, oh, like just through software I can just poke holes in a firewall with no authentication.

Why is that a good idea again? So for our audience that doesn't know what that is, basically it's a protocol built into your router that will automatically put your device on the network to make it easier for it to be accessed in case you were sharing it with somebody like a PlayStation or something, right? Is that the best way to define it?

Or like a web camera, right? Talk to the router and you're going to open up firewall rules for me because I told you to. Like, no.

Don't do that. And the reason, if you remember when these things came out, you know, everything used to be so hard to do. UPnP comes out and you're like, oh my god, it's magical. How does it work? How do they do that? Well, it's simple. It'll just connect to frickin' anything.

And the reason why I brought that up is we don't have to have vulnerabilities. We don't have to do any configuration. Pretty much a lot of these routers are UPNP by design. You plug your PC in, it's on the internet already.

Yeah. Well, it's that usability versus security. That's it. Totally.

And you know, also with that kind of thing, It's not laziness, it's quality. And I know they're trying to get things to market, they're trying to make it easy and everything. But like you talk about some of these devices, they're not patched, they're not made well. I always look at that as, frankly, a quality issue. I mean, people ask me sometimes like, oh, why did these things get hacked? Why did some of these things get done? Okay, sometimes the answer is it's just junk. It's just not made well. It's like we know how to do a better job. They've just decided not to. And that's what's so frustrating.

There's a lot of kids out there, like, for example, my son, he wanted to play Minecraft. And I'm like, oh my God. I've got to change. I never ride with a DMZ. So I end up putting a DMZ out there. And I end up changing the NVR. And I no longer added it to the network or made it accessible to the network. I end up this, and I know this is bad, but now it gets a meet me connection. for that vendor and that vendor, then you can connect to that vendor site. I'd rather do that, even though I know if somebody compromises the supply chain, they can get to it, whereas everybody can get to it, right? So you're picking a poison. Do I wanna get punched in the face or kicked in the groin? You pick the one you want.

I love that. That's like the most New York saying ever. I love it. I love it.

I'm gonna use that. Okay. So I got to ask you about something else while we still got time, Paul. I know we had talked about this, but okay. Linux desktops in the enterprise. Are there actually any? Because in my new job, I was allowed to choose a Mac and I thought that was like outrageous and crazy. But Linux, I mean, other than like hardcore developers, does anybody? Is that really out there?

Wow, you opened a can of worms. Okay. We're at this interesting juncture right now where it's very controversial to say we're on the cusp of being the year of the Linux desktop. Let me explain why. There's a lot of folks that are frustrated with Apple and Microsoft specifically for a whole host of reasons. But one of the perfect storms that's leading up to this is end of life of Windows 10 being October of 2025. And couple that with their requirements for Windows 11. So they're saying, look, you need an 8th gen 8th Gen Intel CPU, as an example. I'm not sure what their AMD equivalent is, but 8th Gen Intel CPU, you need a TPM 2.0, and all these other things. Those are still perfectly fine systems. And so to say I've gotta jump to Windows 11, but I can't if I've got this older hardware, a lot of people are not going to observe about that. You've got very famous YouTubers now, PewDiePie is 151 million subscribers, did a whole video on why he's switching to Linux. not like a tech, it's not a huge tech channel, right? This is breaching the masses. 51 million views on his video that talks about him switching to Linux. And he's like, look, and he talks about the same things I talk about. He was like, look, I don't want a start menu that's got advertisements and the weather and all this crap in it. He's like, I paid Microsoft my hundred whatever dollars for the license. Why do I have to look at ads? Why do I have to have all this bloat? Why do I need OneDrive? Why are you forcing me into a Microsoft account? Why is Microsoft pushing this notion of Well, if you load a driver and it causes problems, like you can just connect back to Microsoft or we can connect to you and we can fix that for you. That's super weird. And then Microsoft's like, well, recall was a total failure. But you know what? We really want you to have Microsoft recall. Like we really just want to take screenshots of your desktop. So there's a whole privacy aspect. There's all of these factors playing into. People don't want what's being pushed on them from Apple and Microsoft anymore. They want the freedom. Couple that with running a Linux desktop today is not what it was five years ago certainly It's actually yes, there's a huge population of people right now in my opinion that Tried Linux three to five years ago ten years ago had a bad experience and when like screw it I'm going back to you know Apple or Microsoft. I don't blame you I have a lot more patience than I've been using Unix and Linux for a long time. And so I'm the exception, not the rule. But you fast forward to today and I'm like, I think there's a lot more people that could be running Linux just because Linux has evolved as a desktop operating system. But then you couple that with all the other factors I had before. We haven't even talked about Apple and, you know, Apple has its own issues. My issues with Apple were... If I wanted a bunch of the GNU utilities, I had to use brew and it blew up all the time. Also, if I used Apple and their software ecosystem, they'd be like, oh, your hardware and your software and your operating system are out of date. And you can't update all that stuff. You've got to go buy new hardware. And I'm like, well, your hardware is really expensive. And I'm like, it's totally fine the way it is. Why are you forcing me to update when your hardware is totally fine? I mean, I had a Mac. Remember the trash can Mac Pros? You could use that as your desktop today a thousand percent and it would be totally fine. Totally fine. But they're like, oh no, you're not going to get operating system updates. You're not going to be able to run the latest versions of software. You're not going to get security fixes. I'm like, screw you. I went to Linux a long time ago after multiple attempts of going to Linux. But now I think we're at this juncture where A lot of people, security professionals especially, can have a great time running Linux. We're a much more technical audience across the board.

I would actually challenge that. The funny part about it is you don't need to be that technical, astute person. Because back in the day when you did Linux, you had like, I want to run this driver, I want to run this. You got to do a wrapper around it. Remember those wrappers? Oh, my God.

Oh, yeah. You got to recompile your kernel. Everyone's like, I don't want to run Linux because I remember recompiling my kernel. I'm like, dude, I haven't recompiled my kernel by hand myself in a really long time. And though I could if I wanted to, if you listen to the Linux podcast and more even Linux experts than I, they're like, you really don't need to. Like you would back in the day, and you would get performance improvements, driver support. But like today, you're not gaining that. If you customize your kernel for you, you're not gaining that much performance. I stopped doing that years ago.

It just wasn't worth it, you know?

There's Fortune 50 companies now that if you go work for them, you can pick Linux, you can pick Windows, you can pick Mac. They allow you to pick Linux. One company I work for, it's like, hey, use Linux, don't worry about it. The other thing to this is, is that back in the day, you couldn't buy a Dell or some computer with Linux. You had to buy a bare bones or pay for the license from Microsoft and not put Microsoft or take Microsoft off and put Linux. Now, everything is currently with Linux. And the question is, what flavor? And now I see so many people out there that are half my age that are kind of becoming experts because before that their mom's watching their kids meanwhile they're doing Cali and they're doing half the box so it's those days of being Linux and being like super like technical, a lot of people have gotten really good and using Linux for all these different tools and they've gotten their way into cyberspace or cyber security. But the issue really is now, are there enough jobs out there? So now we made it easier for people to learn Linux, but we made it harder for them to get a job.

Yeah, I think Linux is a great skill to have. I think one of my huge things along those lines is Docker and Docker containers. It was designed and developed to run on Linux. And if you're a developer, and you're coming in with, hey, I understand Linux, and I understand Docker, Ah, like, I'm like, you're hired. Like, first of all, if you're developing software for me, I'm like, that's great. That's a great skill. Cause there's so much software and software stacks that are built on Docker and Docker containers. And that just thrives in the Linux. And it was developed like with the Linux kernel, right? It was, it was made to run on. That's one of the advantages for me running Linux as a desktop. I can spin up containers. Sure, you can run those on Windows. It's not the same experience. I love having Linux at my desktop. I can spin up containers. I can customize containers. I haven't released it yet, but I've got a great multi-stage Docker build of Nmap that gives you Nmap with all the vulnerability scanning scripts that you can get in a Docker container. You can select which Nmap version you want. It compiles it. It builds it on the latest Ubuntu container. It pulls down all the vulnerable things. It's multi-stage, so I get rid of all the heavy cruft that comes along with building it. And I bring that to the next stage. If you know Docker, you know what I'm talking about in terms of multi-stage builds. I'm like, that's just awesome. And I have that natively. I found that. If I was running Mac OS or Windows, I would have these other Linux boxes that I needed to do work. And I wasn't doing much of my work on the other platforms because I needed Linux to do my other work. I'm like, let's flip that around. Let me use Linux as my desktop to do my work. And if I need. Windows, for example, I do. I have a Windows laptop here, a Windows system at home, and I use that for the edge cases where I need Windows. So I kind of flipped it. But again, old school me is the anomaly, right? I was telling my coworkers the story of when I started at university in the early 2000s. And they, they hired me. That's a whole other story. I don't know if we have time for that, but they hired me. And so I start and they're like, look, what do you want for your workstation? Do you want like a windows or do you want to run sun Solaris?

And I was like, thank God you didn't say Linux.

Cause if you said Linux, I was going to feel so early too. So early 2000s, Linux was still early 2000s Linux.

They even had Spock, Spock, Spock laptops for a small period of time.

Oh, I didn't. I didn't even know that they had spark laptop.

It was really short period of time.

It's insane. Oh, I'd love to see one of them. But so so they asked me, like, what do you want to run? I'm like, well, what is I know what my answer is, but I'm also curious, like, what does everyone else run? Like we all run sun workstations. I'm like, well, that was my first choice anyway. I was just kind of curious. Sun workstation. They're like, oh, by the way, There's this one application, I don't know if you guys remember Remedy Helpdesk. That client only ran on Windows. And so they're like, look, what we're going to do is we're going to give you a Sun workstation. They're going to give you this card. And there was this card, PCI card you plugged into your Sun workstation that ran Windows. And there was some facility, I was trying to recall exactly how it worked today on our group call with our researchers, right? And I was like, there was some facility where I could get into Windows, but it was basically a computer inside your computer that ran Windows in my son workstation that let me run the remedy client so I could create and manipulate tickets in Remedy.

You're terminaled into something else to run Windows.

I think it was some, they must've had some software on Solaris that allowed me to get the interface on the car. Amazing technology.

I always Ultra 10. Ultra 10, you remember Ultra 10s?

Yeah, yeah, yeah. That's what I owned in my own house.

I had an Ultra 10.

Yeah. Was that the pizza box or was it a tower?

It was a tower. Let me really date myself. I think you posted something like this. I ran back in the day, a CPM machine.

Yeah. I'm old. I had an Ultra 10 before I worked for the university. Yes. The previous job I had left or moved positions and left me an Ultra 10. But at the university I had a pizza box with the card in it. And that was my workstation. And I was in heaven, right? That was awesome. And then I tried Linux like so many times to run as my regular desktop. I refused to use Windows. Then I got one of the first PowerPC Macs. I was like, this is pretty close. Like, I get BSD under the covers, I get a shell.

Was that the 6509 ones, right? Something like that?

I think it was. Yeah, I had one of the early, PowerPC-based Macs, then they went to Intel. I adopted those. And then I have it in my presentation, because I'm presenting at RVASEC. So I have the details in there. At some point, I switched my laptops to Linux, and then switched my desktops to Linux. And I've been Linux ever since, for probably 10 plus years. To the point today, I have two Manjaro workstations and two Manjaro laptops, and those are my compute devices and they all basically, I call it Arch with training wheels, right? It's Manjaro, a little extra testing, a little extra polish on Arch Linux.

I was going to say, I'll tell you my journey.

I'm not even going to go back all the way because I did a lot of DOS and Windows on Spark, which was painful. You know, years ago, I was a Sun guy, and I, for myself, I mean, you know, I got home with these crappy PCs and these lousy Windows machines. I'm like, I want a Sun for home. Well, you know, they were like insanely expensive.

Yeah. I had the giant Sun CRT monitors, right?

But they were great. At the time, the great, you know, X Windows interface and all.

How much radiation did we get from those big security monitors?

I went for RadioShack back in the day. And when they had RadioShack, in order to do the POS, the point of sale systems, they were running, I believe, Zenyx. Zenyx, not Unix. Zenyx, brand new brands. I'm going to put you on the spot, Paul. If you know any conferences I could submit stuff to, let me know. I want to join you at a conference.

How to run Xenix? Is that going to be here?

Yeah, how to run Xenix. Setting up the date with Xenix and Danny Advines.

Yeah, exactly. Yeah, we're dating ourselves now, right? Uh, yeah.

But at CPM, that was cool. That was cool stuff, man. CPM.

The point is today, Linux desktop, I think is viable. Uh, I've got to work on my presentation deck. I'm like, now is the time. And what's interesting is all the stuff happened I talked about. But the other thing I didn't mention yet is it's called endof10.org. I believe the website is endof10.org. Multiple developers from multiple open source projects have created this end of 10 campaign. It's basically a marketing campaign to run Linux on your desktop. I'm like, I couldn't have picked a better time to give this talk. It's like developers from KDE and other projects put this campaign together. And on the website, if you go to, I believe it's end of 10, the number 10.org, you go there, they've got a whole list of physical locations where you can go and get help installing Linux. Because they're like, look, Windows 10 is ending support. Do you want to keep your hardware? We don't want all this e-waste. Do you want to keep your hardware? It's perfectly great hardware. will help you install Linux on it, right? If anyone needs installing Linux, reach out to me, to people you know, put it out on social, whatever. There are people that will help you install Linux. A lot of the ones on endof10.org are in Europe, a lot of Linux developers in Germany and various places in Europe, but you can get help with that. I'm like, wow, there's a whole campaign about this now. Again, leading up to like, we joke about the year of the Linux desktop. 2025 could very well be it, from what I'm seeing.

What people are going to ask is, how do I use Linux workstations in my enterprise using Active Directory with my Windows service?

Because they're not going to get rid of their Windows service.

It's a whole other story. Yeah, I know.

That's what people are going to ask.

The manageability of it, yeah. dig down into it. But that's the questions people are going to ask.

So like Teams runs great on Linux. People have created Linux client, even though Microsoft abandoned the Linux Teams client, other open source people have picked it up. You can put that on there. It runs great in a browser in Chrome. I'm also not, one of the things in my talk, a little spoiler on my talk, I'm not a Linux zealot in the sense that I only want to run open source software and drivers. I enable the options, like if you've got a proprietary driver, I'm going to run that. I'm going to run that too. I want to run Chrome. Like, you know, I have Firefox, I have Brave, I have all the browsers, but I also have Chrome, right? That runs on my Linux system. So I'm not like 100% has to be completely 100% open source software. I'm like, no, I want what works. I want to run Linux, but I want to run what works. So I, if, when you install Ubuntu, right? For example, there's a checkbox. Do you want to enable proprietary drivers? Yes. Like I have an NVIDIA card. I'll run the NVIDIA driver, which by the way, is not horrible today. People will. Again, past experiences. I had a bad time with NVIDIA drivers. I get it. I've had my issues as well. But today, much better. Also, NVIDIA is supporting a full 100% open source driver. There's a huge initiative to get a full 100% open source driver for NVIDIA cards on your Linux systems today. Similar to AMD, right? I don't have a lot of NVIDIA problems. I have NVIDIA cards, I have an AMD card, and I have the Intel graphics. They all work great today, right?

I have 99 NVIDIA cards, but NVIDIA is not one of them. I picked it up, sorry.

The hardware support really has come a very long way. Long way. You know, the desktops are just as good. I mean, I'll tell you, I have a, uh, I got a Dell XPS and, um, I don't know why I got it. I was, must've been drunk at the time, but, uh, I finally got fed up with Windows. I'm like, screw this. It runs horribly. It's got all the bloatware, like you said, and everything. And I said, I'm putting Linux on it. So I put Linux, I think I put Ubuntu on it at the time. I've done a few other things, but I put Ubuntu and I'm like, It works great. It runs better than Windows. And then I go, I don't know, somehow I pointed at something or I touched the screen and the window moved. I'm like, holy shit, even the touch screen worked. Right. I was like blown away.

I'm like, whoa, that was unexpected. It's amazing the thriving community around Linux, right? I talked about Manjaro and Arch Linux, their Arch user repository. there's a whole community of people packaging software, excuse me, for this environment. And I'm like, this is amazing. Like, this didn't exist before. If you wanted some kind of weird utility or software package that wasn't in your app repository, your options were like compiling from source in the early days, which was, as we all know, very painful. Then as we moved forward, it was Flatpak, it was Snap. But I love the Arch Linux distributions because they have a unified packaging system and people are doing amazing work making all this software that you can install in one command.

on the channel, but I got it.

You got to play around. You got to play around with. There's, you know, multiple people packaging the same software and you got to pick and choose. I'll admit that that that's a little, little tedious. But once you find that, like, like, oh, like my I don't know if you guys in a 3D printing.

Oh, my God. I love 3D printing.

I have bamboo. I have bamboo printers. Right. And Bamboo Studio and people are actively working on packaging Bamboo Studio. Sometimes it breaks. But there's a community of people that are making it work. So the next version, when I update, they fix the bugs and it works. And it's amazing.

So Paul, I got to just put, I got to say, I got to tell everyone, you know, if you're interested in Linux and everything, I'm going to do a public service announcement here. Yes. Arch is wonderful. All the cool kids like Arch.

It's a little hardcore.

Don't use that as your first distribution. Go for one of the easier ones.

I like Ubuntu, Mint. I like Fedora, actually. Fedora's great.

So my kid, my oldest, does a lot of 3D printing. And I had a conversation with them. I said, why don't you just network a 3D printer? So unbeknownst to me, my kid goes out, goes on Amazon. by Raspberry Pi, puts the interface into the Raspberry Pi, puts the firmware onto the Raspberry Pi, sets up a camera on the Raspberry Pi to watch the print job. I don't know what they did, but they have remote access to the printer from their college in Ithaca. It's awesome. And they're not technical. They did it all themselves.

Yeah. I mean, bamboo gives you that by default, but if you get another 3d printer and they're building that, that's, that's amazing. That's awesome. There's a lot of great 3d print. I mean, bamboo is kind of like the, I just want it to work kind of thing, right? It's proprietary. People have issues with that, but I'm like, I just, I want it to work. Um, but awesome. If your kids are, you know, I've got friends that are using different 3d printers and ask me questions and I'm like, that's awesome. I got an Ender 3 here in the studio that Larry and I need to spend some time to get running. But the bamboos are great for like, it just runs kind of thing.

All right. Well, Paul, it has been so much fun having you on. It was a great discussion. You're doing some cool work and I'd love to talk about Linux and all that stuff. Absolutely. Yeah, episode two. Great.

Yeah, I'll come back anytime, man.

Or you can continue on his podcast.

Yeah, or you guys can come on my podcast. It's totally fine. Josh Bressers and I, just the closing thing. He has two podcasts. I have two podcasts. And just recently, we completed like the full spectrum of I've been on both his, he's been on both of mine. So yeah, you guys are more than welcome.

It's a crossover event. It's like that TV stuff. Awesome.

We actually are celebrating our two year anniversary of our podcast. And it's kind of, it's kind of funny, right? We did some of these blending of podcasts. We even did an EMS blending of a podcast, because I'm an EMT also. Not that I'm really active, but we were talking about how to protect your EMS devices. How do they, you know, protect the security? So we've done some crossovers too, but outside of cybersecurity. It's been really interesting.

Yeah, well, we try to do some, you know, Well, different things, a little outside and everything, but it is a lot of fun to sit down and just talk about old school security and stuff. I love it.

Cause that's where we come from. We could go from multiple hours, just chat with you guys. That's what I love about you guys. Dad, when I jumped on the call, I'm like, Oh, we get, we can, we get to hang out. Yeah. Right. Well, when you come down to New York, you know, I love going to New York. My family loves it too. We did a family trip to New York a few years ago. It's great.

We're going to have the anniversary in a couple of weeks. So we'll see you then.

Awesome. Awesome. I'm not far from New York. We can, we can come down.

That's right. Okay, great. Well, Paul, thanks again for joining. Thanks for having me. Tremendous amount of fun.

Thank you very much. We really appreciate it.

All right, Adam. I'll see you in Staten Island.

Will you?

Yes, I always come to see you, remember? You won't come to Jersey.

I know, for the anniversary. And then while he's there, we'll take a couple little videos and stuff. I can't believe I came to Staten Island. There's all these wild turkeys. By the way, before we end this call, there was a mother fox running around with the baby foxes, running around Staten Island the other day.

It's like Wild Kingdom out there in Staten Island. It's crazy. Oh, God. All right. Thanks, guys. Thanks, everyone. Thank you. See you next time. Bye.