Information Technology

Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solarigate malware planted in the SolarWinds Orion software updates. Other organizations can use the queries to perform a similar analysis. 
Microsoft released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies and 100 private sector firms, many of which were from the tech sector. 

Suspected Russian government-backed hackers compromised SolarWinds’ build system in early 2020 to pull off the supply chain attack discovered by Microsoft and FireEye — a feat that Microsoft estimated took at least 1,000 engineers.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
“A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product,” the Microsoft security team said in a blogpost. 
“These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information. The incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of their own codebases.”
Microsoft used CodeQL queries to analyze its source code and confirm there were no indicators of compromise (IoCs) and coding patterns associated with Solorigate aka Sunburst malware in its source code. 

Microsoft earlier this month admitted the SolarWinds hackers downloaded some Azure, Exchange, and Intune source code in what appeared to be a limited attack. It and FireEye were compromised by the tainted Orion update.
Static and dynamic code analysis are part of the defense line-up that organizations can use to detect a software-based attack.  
Microsoft warns that findings from the queries will need to be reviewed because indicators “can occur coincidentally in benign code.”
It added: “Additionally, there is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.”
SEE: Windows 10: Microsoft makes more tweaks to the touch keyboard
The company also shared some of its security philosophy. 
“Microsoft has long had integrity controls in place to verify that the final compiled binaries distributed to our servers and to our customers have not been maliciously modified at any point in the development and release cycle. For example, we verify that the source file hashes generated by the compiler match the original source files. Still, at Microsoft, we live by the “assume breach” philosophy, which tells us that regardless of how diligent and expansive our security practices are, potential adversaries can be equally as clever and resourced.”
SolarWinds build processes were nor the only weak point the attackers exploited. At a US Senate hearing this week, CrowdStrike CEO George Kurtz critiqued Microsoft for “systemic weaknesses in the Windows authentication architecture”, referring to Active Directory and Azure Active Directory, Reuters reported. These allowed the attackers to move laterally once compromising a network. CrowdStrike was targeted during the attack but said in December that is “suffered no impact”.
Mike Hanley, the newly appointed chief security officer (CSO) of Microsoft-owned GitHub, said CodeQL provides, “key guardrails that help developers avoid incidents and shipping vulnerabilities”.  More

Cyber-criminal hacking operations are now so skilled that nation-states are using them to carry out attacks in an attempt to keep their own involvement hidden.
A report by cybersecurity researchers at BlackBerry warns that the emergence of sophisticated cybercrime-as-a-service schemes means that nation states increasingly have the option of working with groups that can carry out attacks for them.

More on privacy

This cyber-criminal operation provides malicious hacking operations, such as phishing, malware or breaching networks, and gets paid for their actions, while the nation state that ordered the operation receives the information or access it requires.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 
It also comes with the added bonus that because the attack was conducted by cyber criminals who use their own infrastructure and techniques, it’s difficult to link the activity back to the nation state that ordered the operation.
“The emergence, sophistication, and anonymity of crimeware-as-a-service means that nation states can mask their efforts behind third-party contractors and an almost impenetrable wall of plausible deniability,” warns the BlackBery 2021 Threat Report.
Researchers point to the existence of extensive hacking operations like Bahamut as an example of how sophisticated cyber-criminal campaigns have become.

Originally detailed by BlackBerry last year, Bahamut uses uses phishing, social engineering, malicious apps, custom malware and zero-day attacks in campaigns targeting governments, private industry and individuals around the world – and had been doing so for years before being uncovered.
Researchers note how “the profiles and geography of their victims are far too diverse to be aligned with a single bad actor’s interests”, suggesting that Bahamut is performing operations for different clients, keeping an eye out for jobs that would make them the most money – and when it comes to funding, certain nation states have the most money to spend on conducting campaigns.
Not only does the client nation state end up gaining the access they require to hacked networks or sensitive information, it allows it to be done with a reduced chance of it being linked back to the nation state – meaning that it will potentially avoid consequences or condemnation for conducting attacks.
“Threat actor identification can be challenging for threat researchers due to several factors, such as overlapping infrastructure, disparate targeting, and unusual tactics. This is especially true when only part of a campaign is outsourced,” said the report.
SEE: Phishing: These are the most common techniques used to attack your PC
Bahamut has continued to be active since its initial disclosure last year, with campaigns targeting government agencies linked to foreign affairs and defence across the Middle East. The group has also been conducting campaigns against targets in South Asia, with a particular focus on smartphone attacks.
While protecting networks from determined cyber attackers can be difficult, there are cybersecurity practices that organisations can apply in order help keep intrusions out, such as only providing remote access to sensitive information to those who absolutely need it and constantly examining the network for unusual activity that would be classed as suspicious.
MORE ON CYBERSECURITY More

TikTok has agreed to pay a proposed $92 million to settle a class-action lawsuit alleging the company invaded user privacy.  

The settlement, if approved, would lay to rest claims that the video content-sharing app, owned by Beijing-headquartered ByteDance, wrongfully collected the private and biometric data of users including teenagers and minors. 
The class-action lawsuit originated from 21 separate class-action lawsuits filed in California and Illinois last year. 
If accepted, the settlement — filed in the US District Court for the Northern District of Illinois — would require the creation of a compensation fund for TikTok users. In addition, TikTok would be required to launch a new “privacy compliance” training program and would need to take further measures to protect user data. 
According to the proposed settlement (via NPR), TikTok was accused of using a “complex system of artificial intelligence (AI)” to recognize facial features in user videos, as well as to recommend stickers and filters. Algorithms are also cited as a means to identify a user’s age, gender, and ethnicity. 
The lawsuit also alleged that user data was sent to China, and shared with third-parties, without consent. 
TikTok has denied any wrongdoing. However, in a statement, the social media giant said:

“While we disagree with the assertions, rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.”

TikTok announced tighter controls for young users in January, including default privacy settings and restricting Duet and Stitch to users aged 16 and over. 
A judge is required to approve the $92 million settlement. Under the terms of the deal, it is possible that class members in Illinois could receive a larger share as the only US state that has laws in place to allow residents to seek compensation when their biometric data is collected or used without consent through the Illinois Biometric Information Privacy Act (BIPA).
“Biometric information is among the most sensitive of private information because it’s unique and it’s permanent,” commented co-lead counsel Beth Fegan. “Users’ data follows them everywhere, and potentially for a lifetime. It’s critical that their privacy and identity is protected by stalwart governance to guard against underhanded attempts at theft.”
FeganScott and Carlson Lynch LLP are among the legal firms involved in the class-action lawsuit. 
Last year, Facebook agreed to pay $550 million to settle BIPA violation claims in Illinois. Complainants argued that the company’s “Tag Suggestions” feature scraped and stored biometric markers without the consent of users. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Attorney-General has been asked by Australia’s COVID-19 Senate Select Committee to produce documentation pertaining to legal advice received on the COVIDSafe app’s Bill — the Privacy Amendment (Public Health Contact Information) Bill 2020 — in relation to the United States Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
Amazon Web Services (AWS) was handed the data storage contract for Australia’s COVID-19 contact tracing app in April. With AWS headquartered in the United States, concerns over the security of the data had been raised, with fears the data could be accessed by US law enforcement.
The committee has, since May, been seeking access to the legal advice provided to the Attorney-General’s Department (AGD) on the matter. So far, the committee has not been convinced that the public interest immunity claims made by the department were sufficient to exempt it from producing such documentation.
The committee sought the AGD’s assurance that the data collected by COVIDSafe could not be accessed by a US law enforcement agency under the provisions of the CLOUD Act.
See also: New Bill to prepare Australian law enforcement for the US CLOUD Act
While AGD confirmed it had received legal advice on the interaction of the two laws, it would not discuss the content of that advice on the basis of legal professional privilege. The committee then received a letter from AGD, further refusing to provide the information.
In a rebuttal, the committee has said it emphasised the importance of receiving the information.

“The legal advice is significant evidence to the committee’s inquiry,” it wrote [PDF].
“Serious concerns have been raised by the technology industry and peak legal bodies in relation to the safety of COVIDSafe data, which require scrutiny.”
The committee said the provision of the legal advice would permit it to independently assess whether the CLOUD Act could allow US authorities to compel AWS to hand over COVIDSafe data under a warrant.
As a result, the committee has asked AGD, no later than 12:00pm on 17 March 2021, to produce an unredacted copy of the legal advice that the department received regarding the interaction of the Privacy Amendment (Public Health Contact Information) Bill with the United States’ CLOUD Act.
“In the event that the Attorney-General fails to provide the unredacted document, the Senate requires that the Minister representing the Attorney-General attend the Senate at the conclusion of question time on 17 March 2021 to provide an explanation, of no more than 10 minutes, of the Minister’s failure to provide the document,” it wrote.
The Second interim report: Public interest immunity claims document detailed further claims of public interest immunity received during the course of its COVID-19 hearings.
This comprised of two claims made on behalf of the Minister for Health by Senator Michaelia Cash, then-Minister who represented the Minister for Health in the Senate; two claims made on behalf of the treasurer, one by former Senator Mathias Cormann and one by Senator Simon Birmingham; a claim made by Senator Richard Colbeck, then-Minister for Aged Care and Senior Australians; and a claim made by Minister for Families and Social Services Anne Ruston.
“The committee has resolved not to accept these claims on the grounds provided,” it wrote.
“Taken together, these claims have compromised the committee’s ability to scrutinise government decisions with a profound impact on lives of Australians.”
It said it was concerned the claims reflect a pattern of conduct in which the government has “wilfully obstructed access to information that is crucial for the committee’s inquiry”.
“The committee believes the government’s repeated misuse of public interest immunity claims as a basis for withholding key information from the committee is at best lazy and at worst a deliberate abuse of the public interest immunity process. Such an approach undermines the Senate and cannot be left to go on unchallenged,” the report states.
“If we do not stand up for the Senate’s powers and reject this government’s secretive agenda designed simply to protect the executive, then the Senate will become a toothless tiger that gets spoon fed only the information that the government wants to feed it. That is not how our system is meant to operate.”
RELATED COVERAGE More

The Office of the Australian Information Commissioner (OAIC) has asked that the powers given to the minister responsible under the pending Critical Infrastructure Bill, which would allow them to step in when a cybersecurity incident has occurred, be further defined to take into account the impact on individuals’ privacy.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduces a government assistance regime that provides powers to protect assets during or following a significant cyber attack. This includes the power to authorise information gathering directions, action directions, and intervention requests.
The Bill proposes that where an appropriate ministerial authorisation is in force, the Department of Home Affairs secretary can compel relevant entities to produce any information that may assist with determining whether power should be exercised in relation to the incident and asset in question.
“The secretary may also direct an entity ‘to do, or refrain from doing, a specified act or thing’,” the OAIC highlighted in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review into the Bill.
“This broad power should be balanced with appropriate safeguards, oversight, and accountability to ensure it is proportionate.”
The OAIC recommended that, in deciding whether or not to give the necessary authorisation, the minister responsible should be required to consider the privacy impacts of the exercise of these powers insofar as they apply to “business critical data” or other data that may include personal information.
“In our view, this would help to build both industry and community trust and confidence in the proposed framework,” the OAIC wrote.

“This requirement to consider privacy could be included in the matters that the Minister must have regard to when determining whether a direction or request is a proportionate response to a cybersecurity incident, as under ss 35AB (8) and (11).”
The OAIC said there is precedent for this approach in the Telecommunications (Interception and Access) Act 1979.
It also recommended the committee consider an amendment to ensure disclosure of protected information is permitted for the purposes of giving effect to the exercise of the information commissioner’s privacy functions.
“The OAIC wishes to ensure that the restrictions on an entity making a record of, using or disclosing protected information under [parts of the] Act do not limit the ability of the OAIC to exercise its privacy functions, or prevent entities from disclosing information required for compliance with and the administration of the Privacy Act,” it said.
The OAIC has also asked for an amendment to the Australian Information Commissioner Act 2010 to permit information sharing between regulatory agencies. The last recommendation is that the explanatory memorandum makes reference to the commissioner’s guidance function to indicate that it is intended that the OAIC is consulted in relation to any guidance on the personal information-handling obligations that would apply to the scheme.
HERE’S MORE More

Image: Proofpoint
Chinese state-sponsored hackers have gone after Tibetan organizations across the world using a malicious Firefox add-on that was configured to steal Gmail and Firefox browser data and then download malware on infected systems.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The attacks, discovered by cybersecurity firm Proofpoint this month, have been linked to a group the company tracks under the codename of TA413.
Only Firefox users were targeted
Proofpoint said the attackers targeted Tibetan organizations with spear-phishing emails that lured members on websites where they’d be prompted to install a Flash update to view the site’s content.
These websites contained code that separated users. Only Firefox users with an active Gmail session were prompted to install the malicious add-on.
The Proofpoint team said that while the extension was named “Flash update components,” it was actually a version of the legitimate “Gmail notifier (restartless)” add-on, with additional malicious code. Per the research team, this code could abuse the following functions on infected browsers:
Gmail:
Search emails  
Archive emails  
Receive Gmail notifications  
Read emails  
Alter Firefox browser audio and visual alert features
Label emails  
Marks emails as spam  
Delete messages  
Refresh inbox  
Forward emails  
Perform function searches  
Delete messages from Gmail trash  
Send mail from the compromised account  
Firefox (based on granted browser permissions):
Access user data for all websites
Display notifications
Read and modify privacy settings
Access browser tabs
Firefox add-on also installed malware

But the attack didn’t stop here. Proofpoint said the extension also downloaded and installed the ScanBox malware on infected systems.
A PHP and JavaScript-based reconnaissance framework, this malware is an old tool seen in previous attacks carried out by Chinese cyber-espionage groups.
“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint said in a report today.
The last recorded case of a ScanBox attack dates back to 2019 when Recorded Future reported attacks against visitors of Pakistani and Tibetan websites.
As for its capabilities, Proofpoint says ScanBox is “capable of tracking visitors to specific websites, performing keylogging, and collecting user data that can be leveraged in future intrusion attempts,” making this a dangerous threat to have installed on your systems.
Flash EOL might have helped attackers
In this particular campaign, which Proofpoint codenamed FriarFox, attacks began in January 2021 and continued throughout February.
Although hackers have been using fake Flash update themes for years and most users know to stay away from websites offering Flash updates out of the blue, these attacks are believed to have worked much better than previous ones.
The reason is that Adobe retired Flash Player at the end of 2020, and all Flash content stopped playing inside browsers on January 12, 2021, when Proofpoint also saw the first TA413 FriarFox campaigns targeting Tibetan organizations. More

The UK’s GCHQ has revealed how AI is set be used to boost national security.
Getty Images/iStockphoto
The UK’s top intelligence and security body, GCHQ, is betting big on artificial intelligence: the organization has revealed how it wants to use AI to boost national security.
In a new paper titled “Pioneering a New National Security,” GCHQ’s analysts went to lengths to explain why AI holds the key to better protection of the nation. The volumes of data that the organization deals with, argued GCHQ, places security agencies and law enforcement bodies under huge pressure; AI could ease that burden, improving not only the speed, but also the quality of experts’ decision-making. 
“AI, like so many technologies, offers great promise for society, prosperity and security. It’s impact on GCHQ is equally profound,” said Jeremy Fleming, the director of GCHQ. “AI is already invaluable in many of our missions as we protect the country, its people and way of life. It allows our brilliant analysts to manage vast volumes of complex data and improves decision-making in the face of increasingly complex threats – from protecting children to improving cyber security.” 

Artificial Intelligence

GCHQ is already heavily involved in AI-related projects. Although the organization will not disclose the exact details of its use of the technology, Fleming pointed to various partnerships with AI-related start-ups located around the country, as well as a strategic collaboration with the Alan Turing Institute, which was founded to advance research in AI and data science.  
It is no news, therefore, that the intelligence body has a strong interest in using AI; but the newly published paper suggests that GCHQ is prepared to further ramp up its algorithmic arsenal in the years to come. The threats to the nation are increasing, argued Fleming, and they are coming from hostile states that are themselves armed with AI tools – and the UK should be prepared to face modern-day risk. 
“The nation’s security, prosperity and way of life faces new threats from hostile states, terrorists and serious criminals, often enabled by the global internet. An ever-growing number of those threats are to the UK’s digital homeland – the vital infrastructure and online services that underpin every part of modern life,” said Fleming. 
Almost half of UK businesses have reported a cyberattack in the past 12 months, with a fifth of those leading to a significant loss of money or data, says GCHQ’s paper. AI could help the agency better identify malicious software, and continually update its dictionary of known patterns to anticipate future attacks. The technology could also be used to fight online disinformation and deepfakes, by automatically fact-checking content, but also weeding out botnets and troll farms on social media. 

AI will also help identify grooming behavior in the text of messages in chat rooms to prevent child sexual abuse; it will run across content and metadata to find illegal images that are being exchanged, preventing at the same time human experts from watching traumatically disturbing material. Using similar methods, the technology will assist the fight against drugs, weapons or human trafficking – analyzing large-scale chains of financial transactions to help dismantle some of the 4,772 groups in the UK that are estimated to be involved in serious organized crime.  
But as with any other application of AI, using algorithms for national security purposes doesn’t come without raising ethical questions – in fact, when the stakes are so high, so are concerns with transparency, fairness or trust. At the same time, the nature of intelligence and security services means that it is difficult to reveal all the details of GCHQ’s operations. In other words, compromise will be necessary. 
“In the case of national security, intelligence agencies traditionally operate behind a veil of secrecy and are not inclined to share information about their activities. It’s basically true by definition that their activities need not be explicable,” Robert Farrow, senior research fellow at the Open University, tells ZDNet. 
“However, we know that machine learning can result in biased decision making if it is trained on biased data. If a biased algorithm is used for, say, profiling of potential terrorists by mining data from social networks, decisions might be made about people’s lives with no way for the public to check or evaluate whether the actions taken were ethical.” 
When it comes to transparency, GCHQ’s track-record is questionable at best. The organization has come under public scrutiny numerous times since Edward Snowden, a former contractor at the US National Security Agency, shed light on the agency’s mass surveillance practices. GCHQ’s secretive bulk data collection program was ruled unlawful by independent judicial body the Investigatory Powers Tribunal (IPT).  
Since then, surveillance laws have changed, but the UK’s Investigatory Powers Act (IPA), also known as Snoopers’ Charter, still makes it legal for government agencies like GCHQ to collect and retain some citizen data in bulk.  
GCHQ’s latest paper, perhaps in an attempt to reassure the public on the use of their data, has a strong ethical focus. The agency committed to a fair and transparent use of AI, recognizing that the nature of GCHQ’s operations might impact privacy rights “to some degree”, and pledging adherence to an AI ethical code of practice, which is yet to be established. 
“We need honest, mature conversations about the impact that new technologies could have on society. This needs to happen while systems are being developed, not afterwards. And in doing so we must ensure that we protect our [citizens’] right to privacy and maximize the tremendous upsides inherent in the digital revolution,” said Fleming. 
Many experts welcomed the agency’s renewed focus on ethical considerations, which will ultimately boost public trust and contribute the uptake of a technology that could effectively be a game-changer in protecting the UK’s national security interests. Andrew Dwyer, researcher in computational security at Durham University, explains that AI could even help ease concerns about mass surveillance, by helping GCHQ identify and target the right individuals in the fight against terrorism or trafficking. 
“Of course it is a good thing that GCHQ uses these systems,” Dwyer tells ZDNet. “In this example, it could actually focus surveillance away from mass surveillance as such. This paper is a first step into thinking about the role of AI being applied in national security.” 
But while many will agree that GCHQ’s use of AI is justified and necessary, the deployment of the technology is likely to trigger much debate. Farrow, for instance, believes that an ethical framework is not sufficient: even intelligence agencies should required to provide an account of how algorithms influence decision-making. “What is really needed is for the law to catch up with technological developments and effectively regulate the use of AI,” he argues. 
One thing is certain: privacy groups and digital rights activists will have all eyes on GCHQ’s upcoming ethical code of practice. More

SolarWinds said it spent more than $3 million on cybersecurity costs in the fourth quarter due to its recent breach and sees security-related expenses of $20 million to $25 million in 2021. 

ZDNet Recommends

The $20 million to $25 million security-related expenses include initiatives to bolster product defense, remediation, and consulting fees and insurance costs. 
The company reported its fourth quarter results and had to address its cybersecurity troubles during the three months ended Dec. 31. SolarWinds said that it would face future cybersecurity costs. The company makes IT, network, systems, and database management software.
SolarWinds’ earnings report has cybersecurity costs broken out a few ways. Under generally accepted accounting, “cyber incident costs” were $3.48 million. Those expenses are also listed at $3.16 million depending on the non-GAAP to GAAP reconciliation. 
Recent headlines include:
SolarWinds CEO Sudhakar Ramakrishna said:

The sophisticated cyberattack on us and our customers at the end of the fourth quarter has taught us a great deal about the resiliency of our business, the commitment of our employees, and the support we can expect from our customers and partners.

He added that the investigation into the cybersecurity issues continues and the company will emerge stronger. “We have a strong foundation from which to grow, and to establish a model for the future of the software industry by delivering powerful, affordable, and secure solutions,” he said.

On a conference call with analysts, Ramakrishna said:

The vast majority of the customers that I have spoken to understand that the cyber incident that affected us and others could have happened to any vendor, and especially a broadly deployed vendor like SolarWinds. Equally, they’re eager to see us address the issue and share our learnings which we are doing. The other opportunity that keeps coming up in these discussions is our ability to provide guidance and input to protect the entire environment of our customers as opposed to just focusing on our products, making us a more strategic partner. The majority of our customers that downloaded a version of the affected code have upgraded to our latest version and continue to renew their contracts with us. While the first priority continues to be ensure the safety and security of our customers our conversations with customers and partners have also given us the opportunity to discuss the strength of our entire portfolio and of our future plans.

Ramakrishna added that through Feb. 17, nine federal agencies and about 100 private sector companies were compromised. “While our attitude will always be that one impacted customer is one too many, we currently believe the total number of customers will be significantly lower than what was originally feared,” he said. “We are applying our learnings from this event and sharing our work more broadly. Internally, we are referring to our work as secure by design. And it’s premised on zero trust principles and developing a best-in-class secure software development model to ensure our customers can have the utmost confidence in our solutions.”
As for the fourth quarter results and outlook, it’s clear SolarWinds will take a hit from cybersecurity expenses. SolarWinds reported fourth quarter net income of $132.7 million on revenue of $265.3 million, up 7.2% from a year ago.
For the first quarter, SolarWinds said sales will be between $247 million and $252 million with non-GAAP earnings between 19 cents a share and 20 cents a share. Wall Street was expecting non-GAAP earnings of 21 cents a share on revenue of $252.7 million.
“We expect to incur significant legal and other professional services expenses associated with the Cyber Incident in future periods,” the company said. 
Overall, SolarWinds executives said that there will be headwinds due to COVID-19 and the cybersecurity incident, but they are confident in the products and demand in the future. 
“We’ve added a level of security and review through tools, processes, automation and where necessary, manual checks around our product development processes that we believe goes well beyond industry norms to ensure the integrity and security of all of our products. We firmly believe that the Orion software platform and related products as well as all of our other products can be used by our customers without risk of the Sunburst malicious code,” Ramakrishna.   More