Information Technology

Nonprofit foundation Open Web Application Security Project (OWASP) has released an updated draft of its ranking of the top 10 vulnerabilities, the first changes to the list since November 2017.The new list features considerable changes, including the emergence of Broken Access Control, which moved from fifth on the list to number 1. The organization said 94% of applications have been tested for some form of broken access control and “the 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.” Cryptographic Failures also moved up the list to number 2 due to its connection to sensitive data exposure and system compromise. Injection moved down to the third spot but OWASP noted that 94% of the applications were tested for some form of injection, which now includes cross-site scripting. A new category — Insecure Design — made its way into the fourth spot on the list followed by Security Misconfiguration, which moved up one spot compared to the 2017 list. Security Misconfiguration now includes external entities and the lists’ authors said it was not surprising considering 90% of applications were tested for some form of misconfiguration and that there has been more shifts to highly configurable software. Vulnerable and Outdated Components was ranked number 9 in 2017 but moved up to number 6 for this year’s ranking.”It is the only category not to have any CVEs mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores,” the lists’ authors noted. 
OWASP

Identification and Authentication Failures — previously called Broken Authentication — fell significantly from number 2 to 7, with OWASP explaining that the increased availability of standardized frameworks has helped in addressing it. Software and Data Integrity Failures is an entirely new category for 2021 and focuses primarily on assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. “One of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category,” OWASP said.Security Logging and Monitoring Failures was previously last on the list but moved up one spot and has expanded to include other types of failures. While these are challenging to test for, they can “directly impact visibility, incident alerting, and forensics.”Last on the list is Server-Side Request Forgery, which has a “relatively low” incidence rate but was cited highly by industry professionals. OWASP said that overall, there were three new categories and four others that had either name or scope changes made for the 2021 list. OWASP, which has put the list together for more than a decade, compiles the list based on contributed data and industry surveys. “We do this for a fundamental reason, looking at the contributed data is looking into the past. AppSec researchers take time to find new vulnerabilities and new ways to test for them. It takes time to integrate these tests into tools and processes,” OWASP said. “By the time we can reliably test a weakness at scale, years have likely passed. To balance that view, we use an industry survey to ask people on the front lines what they see as essential weaknesses that the data may not show yet.”Jayant Shukla, CTO of K2 Cyber Security, told ZDNet that instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications. Shukla noted that one of the reasons Server-Side Request Forgery attacks authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications.”These new risk categories emphasize the need to shift left and improve pre-production testing. Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect,” Shukla said. “In fact, the National Institute of Standards and Technologies has recognized these shortcomings, and last year updated their SP800-53 application security framework to include Runtime Application Self Protection and Interactive Application Security Testing to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.” More

Dell unveiled a slate of new features that come with its NAS solution EMC PowerScale on Wednesday, announcing that the tools “provide more flexible consumption, management, protection and security capabilities to eliminate data silos and help you effectively use unstructured data.” In a statement, the company said the PowerScale hybrid (H700 and H7000) is able to provide 75% more performance than comparable nodes. In contrast, archive nodes (A300 and A3000) are two times more effective than similar products.  “New PowerScale OneFS and DataIQ software enhancements expand storage management, performance monitoring, auditing and compliance capabilities to simplify file storage at scale. Enhancements to our API-integrated ransomware protection capabilities keep data protected from cyberattacks and now offer cloud deployment options in addition to on-premises,” Dell explained in a release. “Dynamic NAS Protection, available with PowerProtect Data Manager, delivers a simple, modern way to protect NAS systems through enhanced backup for file data enabling up to 3X faster backups and up to 2x faster restores.”The H700, H7000, A300 and A3000 represent what Dell called a “refresh” of the Isilon line of products that were unveiled last year. Dell said the new nodes offer more cores, memory and cache, additional networking options and more compatibility options. Nassos Galiopoulos, CTO at the University of Texas, San Antonio, said the Dell EMC PowerScale provides multiple nodes for transferring unstructured data at high speeds across the school’s HPC environment and scaling quickly to support their exponential data growth. “We now handle billions of records, along with big data analytics, AI, and machine learning, with tremendous velocity, variety, and volume,” Galiopoulos said. 

Later this quarter, Dell will also be releasing updates to OneFS that will allow the OS to “deliver writable snapshots, faster upgrades, secure boot, HDFS ACL support, and improved data reduction and small file efficiency.”DataIQ was enhanced recently to make it easier for users handling large scale clusters, and the updates allowed for UI enhancements as well as the ability to run reports to analyze volumes by time stamps.Dell unveiled new security features designed to help organizations deal with ransomware attacks. The “Cyber Protection and Recovery solution from Superna for PowerScale” was built to assist enterprises in responding and recovering from ransomware attacks. It now includes the Superna Ransomware Defender tool as well.”With this solution, customers can recover their data from a cybersecurity event leveraging the public cloud. A new Superna AirGap Enterprise provides more advanced automation to the air gap feature,” Dell explained. “Additional new productivity features to Superna’s Search and Recover and Easy Monitor capabilities also further expand PowerScale’s exceptional management and control capabilities. For organizations looking to manage easily, incremental-forever NAS data protection with rapid recovery at the file level, today we announced Dynamic NAS Protection, a simple, modern way to protect your NAS systems.” USC Australia infrastructure analyst Drew Hills noted that his organization has multiple policies using a variety of backup methods to protect files on their NAS and Windows File Clusters. “With PowerProtect Data Manager, Dynamic NAS Protection automatically slices shares, filesystems and volumes into multiple streams that run in parallel within the same policy,” Hill added. “It also automatically balances and scales across resources, simplifying management while accelerating backups faster than ever before.” More

A new report from Outseer has found that cybercriminals are increasingly turning to brand abuse to leverage attacks. The Outseer FraudAction team compiled the report based on the 49,000 attacks they tracked throughout Q2 of 2021. Armen Najarian, Outseer’s chief identity officer, told ZDNet that nearly half of the 49,000 cases Outseer detected in Q2 involved cybercriminals spoofing digital content and experiences, like a fake social media profile, a rogue mobile app or a spoofed website.”Bad actors impersonate credible brands this way to harvest consumer log-in credentials or personal data. As brands continue to accelerate their own digital transformation and as consumer data becomes more valuable, we predict brand abuse attacks will continue to increase,” Najarian said. Outseer said that for the third quarter in a row, brand abuse attacks were the most common attack vector detected. Outseer also found that the US continues to be the top hosting country for phishing attacks, holding on to the title since 2017. The US accounts for more than 72% of ISPs hosting these types of attacks, according to the report. Outseer attributed the trend to the handful of large-scale “hosting authorities,” whose sheer size makes it easier for fraudulent activity to go undetected.

But people and companies in the US are also the second largest target for phishing attacks after South Africa, which made it to the top of the list due to the 24 million people impacted by the Experian data breach.Najarian noted that app stores are rife with rogue apps designed to steal from unwitting consumers and said there has been a rise in the number of apps appearing in legitimate marketplaces and stores.”These fake apps, many of which pose as banking apps, infect users’ systems with malware if downloaded. We’ve seen 66% more of these rogue apps compared to last quarter, and 140% more compared to this same time last year,” Najarian said. In Q2 2021, Outseer researchers said they detected 140% more rogue banking apps compared to the same time frame last year, an increase of 66%. For the third quarter in a row, mobile banking is the dominant channel for attacks: 70% of fraudulent transactions in digital banking originated in mobile channels in Q2. The company also managed to recover more than 4.5 million unique compromised cards and card previews from online card stores and fraud communication channels in the quarter. “The pandemic will continue to drive even more digital commerce or various flavors conducted from both desktop environments and increasingly from mobile devices. The increase in digital transactions equates to an increase in vulnerability, and fraud actors will continue to seek access to our personal information if fraud prevention solutions, 3-D Secure and risk-based authentication tools, are not implemented,” Najarian said. “It’s more urgent now than ever for businesses to protect their brands, and to protect their customers from these dangerous attacks, particularly as we approach the holiday shopping season.” More

A new phishing campaign has been uncovered targeting companies that may work with the US Department of Transportation. The campaign, discovered by security company INKY, found that phishers are impersonating the US Department of Transportation (DOT) in an effort to harvest Microsoft Office 365 credentials, INKY’s Roger Kay wrote in a blog post. 

ZDNet Recommends

Kay noted that the phishing emails peaked around August 16-18, right after the US Senate passed the $1 trillion infrastructure bill on August 10.Dozens of phishing emails sought to impersonate the DOT, with attackers contacting multiple companies in the engineering, energy architecture industries asking them to submit bids for federal contracts.  “The basic pitch was, with a trillion dollars of government money flowing through the system, you, dear target, are being invited to bid for some of this bounty,” Kay said.”By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential harvesting operation, the phishers came up with an attack just different enough from known strikes to evade standard detection methods.”Kay explained that attackers sent their phishing emails from “transportationgov[.]net,” a newly created domain intended to impersonate the usual government emails that come from .gov addresses. 

Amazon was the new domain’s registrar, Kay added, and the site was registered on August 16. “In the initial pitch, recipients were told that USDOT was inviting them to submit a bid for a department project by clicking a big blue button that said, ‘CLICK HERE TO BID.’ Recipients who clicked on the button were led to a site — transportation.gov.bidprocure.secure.akjackpot[.]com — with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure.’ But the base domain — akjackpot[.]com — was registered in 2019 and hosts what may or may not be an online casino that appears to cater to Malaysians. Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT,” Kay wrote. “Once on akjackpot[.]com, the victim was instructed to ‘Click on the BID button and sign in with your email provider to connect to the network.’ Targets were told to contact ‘mike.reynolds@transportationgov[.]us’ if there were any questions. However, transportationgov[.]us was another newly created domain registered by the phishers.”The phishers made their website look legitimate by copying the HTML and CSS from the real USDOT website. They even included a real warning on the government site about making sure users check that sites are legitimate US government websites. From there, victims were urged to click a red button asking them to bid, bringing up a Microsoft logo above a form meant to harvest Office 365 credentials. If a victim made it that far and actually entered their credentials, they were given a CAPTCHA challenge which then took them to a fake error message. From there, they were redirected to the real USDOT website, according to Kay.”This last move, dumping victims on a real site is an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence. In the con business, this moment is called the ‘blow-off’ and refers to the time after which the perpetrator has obtained what they were after, but before the mark realizes that they’ve been duped,” Kay said. “In the physical world of swindling, the blow-off gives the perpetrator time to getaway. This remnant of older con games sometimes turns up as an artefact in the digital world, where the perpetrators were never ‘there’ in the first place.” More

When former AWS engineering veteran Charlie Bell quit to join Microsoft last month, his new role was a secret. Today, September 15, Microsoft announced his new job internally. Bell will be heading a new engineering organization inside Microsoft that will oversee security, compliance, identity and management. Based on an email from Microsoft CEO Satya Nadella to the troops, it looks like Microsoft and Amazon are in negotiations over his move. Bell will be reporting directly to Nadella and will join Microsoft’s Senior Leadership Team “once a resolution is reached with his former employer.” Frank Shaw, Corporate Vice President of Communications at Microsoft, provided the following statement: “We believe Charlie Bell’s new role can help advance cybersecurity for the country and the tech sector as a whole, and we are committed to continuing our constructive discussions with Amazon. We’re sensitive to the importance of working through these issues together, as we’ve done when five recent Microsoft executives moved across town to work for Amazon.” Since Nadella became CEO of Microsoft six years ago, Microsoft has not gone after any of its competitors, including Amazon, on non-compete issues, I believe. Bell posted about his new role at Microsoft on LinkedIn: “As digital services have become an integral part of our lives, we’re outstripping our ability to provide security and safety. It’s constantly highlighted in the headlines we see every day: fraud, theft, ransomware attacks, public exposure of private data, and even attacks against physical infrastructure. This has been weighing on my mind, and the best way I can think to describe it is “digital medievalism,” where organizations and individuals each depend on the walls of their castles and the strength of their citizens against bad actors who can simply retreat to their own castle with the spoils of an attack. We all want a world where safety is an invariant, something that is always true, and we can constantly prove we have. We all want digital civilization. I believe Microsoft is the only company in a position to deliver this, and I couldn’t be more excited to work with this talented team to make the world safer for every person and organization on the planet. ” Microsoft will be moving a number of teams from its Cloud + AI and Experiences + Devices teams under Bell as part of the move, including Microsoft 365 Security, Compliance and Management under CVP Harv Bhela; Identity under CVP Joy Chik; Security under CVP Bharat Shah; and the Chief Information Security Office team under CVP Bret Arsenault.According to CNBC, Bell was considered a candidate to head up AWS after Andy Jassy, the former AWS CEO, was promoted to lead all of Amazon. Adam Selipsky was chosen as the new AWS CEO in May.  In other Microsoft reorg-related news, Microsoft announced on September 14 that President and Chief Counsel Brad Smith would become Vice-Chair of the Microsoft board, in addition to his other duties. Microsoft has never had a Board Vice-Chair before. From what I can tell, this is more about titles than any kind of change in responsibilities for Smith. More

Microsoft is extending its passwordless sign-in option from enterprise customers that use Azure Active Directory (AAD) to consumer Microsoft accounts on Windows 10 and Windows 11 PCs. 

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

“We’re extending that same passwordless technology that we had for commercial earlier this year to consumers. It’s simple to set up. If you have a Microsoft account, you can use the Authenticator [app] and within a few steps you can be passwordless,” says Vasu Jakkal, Microsoft corporate vice president of the Microsoft Security, Compliance, Identity and Management division.”We are going completely passwordless for Microsoft accounts. So you don’t need a password at all.”Users often pick bad passwords because they’re easy to remember and those passwords are prone to password spraying attacks, where hackers use a list of common passwords against online accounts in the knowledge that some people will have used them.But does this mean the death of the password? The OAuth and FIDO2 standards are helping usher in easier ways to use smartphones as two-factor or multi-factor authentication (2FA, MFA) options. But even for a software giant like Microsoft, which has over one billion PCs in use today, solving the password problem takes the entire industry to support, including operating system, browser makers and application developers. Windows PCs and Microsoft accounts for Microsoft apps, like Office. OneDrive, and Outlook, are a big part of the answer, but they’re not the whole picture. Nonetheless, Jakkal insists Microsoft is making headway. 

“Nearly 100% of our employees are passwordless. We use Windows Hello and biometrics. Microsoft already has 200 million passwordless customers across consumer and enterprise,” says Jakkal. At the moment, the option for password free login is only for Microsoft accounts, but this extends to Microsoft apps on iOS, Android, and Windows. While it’s not so common to use Microsoft accounts to sign-in to third-party apps, it is more likely that people with a Microsoft account are using online Office apps like Teams, PowerPoint, Excel, Word or SharePoint. The Microsoft Authenticator app for iOS and Android will now give consumers an option to use passwordless sign-in for supported apps that rely on a Microsoft account. You don’t need a password to sign in to the Microsoft account and wherever you use that account for whichever apps you are using it, you are password free.Microsoft apps that still require a password include: Xbox 360 or earlier Office 2010 or earlier  Office for Mac 2011 or earlier  Products and services which use IMAP and POP email services  Windows 7, Windows 8.1, Windows 10 1809 or earlier. Some Windows features including Remote Desktop and Credential Manager  The push for passwordless sign-in has been a multi-year effort underway at Microsoft and has required work to develop specifications for FIDO, the organization driving two-factor authentication and passwordless standards, Microsoft Identity corporate vice president, Alex Simons, tells ZDNet.   “That was a modification of the Windows Hello protocol we originally created for Microsoft use. Google and Microsoft submitted that together through FIDO and over time we had a bunch of work and we have today what we know as WebAuthn and all of the supporting standards that make FIDO2 possible.” Simons explains that the support for passwordless sign-in with consumer Microsoft accounts means that end-users can completely remove passwords as a sign-in option. That, effectively, can close off the threat of password spraying attacks for Microsoft accounts and encourages consumers to use alternative sign-in methods for accessing Microsoft accounts. “For the first time we’re giving Microsoft account users not just the chance to use passwordless authentication, which they’ve had for years now, but actually the ability to go in and completely remove their passwords. So you can basically block sign-in with passwords to your Microsoft account and always insist on a passwordless factor that could be Windows Hello or a FIDO2 key from partners like YubiKey, or the Authenticator app,” says Simons.”We’re also pushing Apple and Google to support the standard natively,” he adds.  More

The Justice Department announced a controversial deal with three former US intelligence operatives that allows them to pay a fine after breaking multiple laws through their offensive hacking for the repressive government of the United Arab Emirates.The DOJ said 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud and access device fraud laws.”The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians and dissidents opposed to the government. The three even hacked into US companies, creating two exploits that were used to break into smartphones.Both Reuters and The Intercept conducted an in-depth investigation into the work of Project Raven and a UAE cybersecurity firm named DarkMatter after members of the team raised concerns about the kind of hacking they were being asked to do by UAE officials. 

ZDNet Recommends

Despite the accusations listed in the court filing, the DOJ said Baier, Adams and Gericke — all former NSA employees or members of the US military — reached an agreement on September 7 to pay the fines in addition to other restrictions on their work. Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and relinquish any foreign or US security clearances. They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles or providing defense services.

The DOJ said the three were senior managers at a UAE company from 2016 to 2019 and continued to hack for the UAE despite being told they were violating rules that say people need a license from the State Department’s Directorate of Defense Trade Controls to do such work. “These services included the provision of support, direction and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems — i.e., one that could compromise a device without any action by the target,” the Justice Department explained in a statement. 

“UAE CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by US companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”Acting Assistant Attorney General Mark Lesko for the Justice Department’s National Security Division said the agreement was a “first-of-its-kind resolution” of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States. “Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” Lesko said. Acting US Attorney Channing Phillips noted that the proliferation of offensive cyber capabilities undermines privacy and security worldwide when left unregulated. Phillips claimed the US government was trying to ensure that US citizens only provide defense services “in support of such capabilities pursuant to proper licenses and oversight.” Despite the lack of prison sentences, Phillips said the agreement with the three hackers was evidence that a person’s “status as a former US government employee certainly does not provide them with a free pass in that regard.”Other government officials reiterated that message, warning other former US government hackers to avoid using their skills to benefit foreign governments. The three ignored orders from the US government that they abide by US export control laws, obtain preapproval from a US government agency prior to releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” and not “target or exploit US citizens, residents and companies.” The DOJ added that over an 18-month period, the three created two similar “zero-click” computer hacking and intelligence gathering systems that leveraged servers in the US belonging to a US technology company “to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a US Company-provided operating system. “The defendants and other CIO employees colloquially referred to these two systems as ‘KARMA’ and ‘KARMA 2,'” the DOJ explained. “CIO employees whose activities were supervised by and/or known to the defendants used the KARMA systems to obtain, without authorization, targeted individuals’ login credentials and other authentication tokens (i.e., unique digital codes issued to authorized users) issued by US companies, including email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to, again without authorization, log into the target’s accounts to steal data, including from servers within the United States.”The company was forced to create Karma 2 after the US company updated its smartphone system to protect against Karma 1. By 2017, the FBI interjected again, telling the US company that Karma 2 was being used against them. Even after another update, both exploits were effective against older devices sold by the company. Reuters reporter Chris Bing noted on Twitter that Gericke previously served as CIO of ExpressVPN, the largest VPN in the market. Casey Ellis, CTO at Bugcrowd, said he believed $1.68 million was enough of a penalty to sting those involved and to act as a deterrent for others considering doing likewise. “However, the fact that it was settled means we can only speculate on the equities that were weighed up here,” Ellis said. “As the value and use of offensive cyber capability becomes more obvious, and as the lines of international relations continue to shift, I would expect to see more of these ‘slightly oddball’ outcomes in the future.”BreachQuest CTO Jake Williams added that while it is obvious Project Raven crossed a legal boundary, what is less clear is whether the US persons involved knew the project would be used to target other US persons and US organizations. “Given that the original mission was slated as counter terrorism, a mission that is very loosely defined by its nature, it was foreseeable that might be the eventual outcome. The second US companies and US persons were targeted under the program, every US person involved likely knew it was only a matter of time before some legal action was taken,” Williams said. “As for the fines and restrictions, it’s hard to evaluate whether those were appropriate without knowing the full situation. But taken at face value, they do appear sufficient to deter future behavior of this type and that’s really the goal. The US government certainly wanted to avoid any trial, which would undoubtedly involve the use of the State Secrets Protection Act — something that never sits well with the public.” More

A re-implementation of Cobalt Strike has been “written from scratch” to attack Linux systems.

Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions.  Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan.  Cobalt Strike’s source code for version 4.0 was allegedly leaked online, however, most threat actors tracked by cybersecurity teams appear to rely on pirate and cracked copies of the software. Until now, at least. In August, Intezer uncovered the new ELF implementation of Cobalt Strike’s beacon, which appears to have originated from Malaysia.  When the researchers reported Vermilion Strike, it went undetected on VirusTotal as malicious software. (However, as of the time of writing, 24 antivirus vendors have now registered the threat.)

Built on a Red Hat Linux distribution, the malware is capable of launching beacons, listing files, changing and pulling working directories, appending and writing to files, uploading data to its C2, executing commands via the popen function, and analyzing disk partitions.  While capable of attacking Linux builds, Windows samples have also been found that use the same C2 server and contain the same functionality. The researchers worked with McAfee Enterprise ATR to examine the software and have come to the conclusion that Vermilion Strike is being used in targeted attacks against telecoms, government, IT, advisory, and financial organizations worldwide. “The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.  This is not the only unofficial port of Cobalt Strike, however. There is also geacon, an open source project based on the Golang programming language. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More