|
 | |  |
Transcript: The Code Room - Breaking Into Vegas
Jessi Knapp: Voiceover: The real world is fraught with security
challenges, privacy hurdles and mobility issues. All problems software
developers solve every day. Join us now as we explore the latest tools
and technologies for tackling real world development issues and meet
the geniuses who use them on this episode of The Code Room.
Knapp: Welcome to The Code Room. I’m your host, Jessi Knapp. We’re in
Las Vegas, Nevada to take a look inside the high stakes world of Sin
City security with seven of the top security experts in the field,
three of them posing as hackers and the other four as the baddest
security force on the planet. In this episode it’s good guys versus bad
guys. Breaking into Vegas.
In Vegas you’ll find honeymooners, tourists and gamblers of all types.
But Vegas really shines for its high rollers. Casinos, hotels and shops
roll out the red carpet for these VIPs who arrive from all over the
world bringing millions of dollar with them, millions that hackers
covet.
Hackers like Caleb “Bulletproof” Sima. Duane “The Samurai” Laflotte.
And Joel “The Hacktavist” Scambray. Hidden away at the Low Roller
motel, the hackers are holed up and working through the night. Their
target? The legendary Plaza hotel and casino.
Caleb Sima: You got it?
Duane Laflotte: Hello, there it is.
Knapp: They’ve found a way into the casino network.
Laflotte: Go, go, go to the VIP logins.
Joel Scambray: Yeah. I hate these Web sites, they’re so annoying.
Sima: Okay, there we go. We got it.
Laflotte: Awesome.
Sima: There it is.
Laflotte: That looks good. So what are we looking at?
Scambray: User names, it looks like coded passwords.
Knapp: Downloaded the user names and passwords from the database.
Sima: So what if we just create our own identity.
Scambray: Yeah, all right, I like that.
Sima: Instead of, see because like we don’t have IDs for them but if we
just create our own user I bet you they access the same database, they
pull up right in the database, boom, it looks like we’re a high roller
Laflotte: Create it, we put money in the account.
Sima: Put – yeah.
Laflotte: I’m all about going downstairs and let’s get (inaudible).
Scambray: How do you feel like being a high roller?
Knapp: Then by creating a fake account with a phony balance they are
now in the process of siphoning 400,000 dollars from the casino.
Sima: Yeah, let’s see how well you could do.
Host: Right this way, guys. Cindy’s going to take care of you.
Knapp: Here’s how the money flows at the plaza. VIPs arrive after
transferring online funds into their electronic accounts, present
credentials, a pass phrase and receive a key that is as good as cash
anywhere in the casino with one swipe and a nod from the pit boss you
could wager a million dollars. All transactions are tracked on a server
deep inside the Plaza’s data center. Hack into this box and you’ve got
access to millions of dollars.
Hostess: Hi, may I help you.
Laflotte: I’d like to cash out.
Hostess: Okay, may I see your player’s card? Thank you. What’s your pass phrase?
Laflotte: Phase one.
Hostess: Okay, thank you very much.
Knapp: Just like taking candy from a baby.
Laflotte: Thanks very much.
Owner: 400,000 dollars? How in the world does that happen?
Knapp: When the Plaza boss learns he’s out 400,000 dollars he just about loses it.
Owner: Who’s responsible? Find them, bring them to me, somebody’s paying for it.
Knapp: He’s not aware that someone could just waltz in and steal that money right out from under his nose.
Worker: I’ll take care of it.
Knapp: It was out with the old and in with the new. IT, that is.
It was time to call in the big guns. So within hours the most elite
security team in the state was flown in stat to help the Plaza out of
its pickle.
The security A team. Rick “The Exposer” Samona. Frank “The Kid”
Swiderski. Keith “Dot Net Daddy” Brown. And John “The Professor” Viega.
The A team has arrived. Now it’s time to turn the tables on the bad
guys.
While the hackers settle in to target the Plaza’s money management
system from their new lair, the A team sets out to find the security
system’s vulnerability.
Rick Samona: Gentlemen, what we have here is a compromise of security.
The Plaza is out 400,000 dollars and that’s why they’ve called us in.
John Viega: So what approach do you want to take?
Samona: Well, we have to find out why the problem occurred to begin with and then we have to prevent it from occurring again.
Frank Swiderski: So what do we know about the client?
Samona: The client is a casino that deals with multiple transactions
per day. The transactions range on the low end from 100 to 200 dollars
all the way to the high end, which could be as high as two to three
million dollars.
Keith Brown: What about the app? What details do we have about that?
Samona: The application was built two to three years ago in-house. It’s
a Web application accessing a back-end database. Now when it was built
there was no formalized security training for the development team.
It’s a managed code Web application that’s accessing a back-end
database.
Swiderski: Did they check for SQL injections, things like that?
Samona: To be quite honest the developers have been released and they probably don’t even know what SQL injection is.
Viega: So the app is almost certainly Swiss cheese.
Samona: Absolutely. When the application was built it did not go
through security development lifecycle, security was not thought of
whatsoever.
Swiderski: Do we have any artifacts left over, logs, maybe even code or design docs from the original development team?
Samona: Our client has advised us that we have full access to all of
the backups and all of the data that we have. Now they have no
formalized process, they’re only doing backups on a biweekly basis.
Viega: We should run a code analysis and try to find some SQL injection vulnerabilities, see what else we can dig up as well.
Samona: I think that’s a great idea.
Swiderski: Yeah, absolutely, we need to find out how they got in in the
first place and see if there’s any other ways they might be able to get
in later and we can start doing some threat modeling, look to see what
the most likely avenues of attack are.
Brown: Good idea, we can also look at their positioning with respect to
the privilege levels they’re giving access to their database.
Knapp: With the hole patch the security A team goes on the offensive.
We’re at the Peppermill fireside lounge, and I’m here with Joe Stagner,
the technical expert. And Joe, let’s talk about what we just saw. So
why don’t you explain a little bit about the technology that the A team
and the hackers used in the tier one attack and then in the defense
scenario.
Joe Stagner: Sure Jessi. The A team has really inherited a mess here.
The original developers of this application made some programming
mistakes. The bad guys have been able to examine this application from
the outside a little bit, find and leverage a SQL injection
vulnerability. So they’ve created an account, they’ve fabricated
400,000 dollars in assets in that account and then withdrawn that
400,000 dollars from the casino.
Knapp: That’s bad.
Stagner: It’s actually much worse than that. Because in addition to the
money that they’ve stolen we don’t know what other data that they’ve
been able to gather to use going forward or what sorts of artifacts
that they might have left in the system for use later on.
Knapp: How realistic is this? Could this really happen?
Stagner: You know developers tend to be very confident in their own
skills and I work in the security space pretty much full time. I look
at customers’ code on a week to week basis and developers make these
sorts of mistakes regularly. There are applications all over the world
that have these sorts of vulnerabilities in them today. This is
absolutely real world stuff.
Knapp: Now that the SQL injection vulnerability has been patched, what’s going to happen next?
Stagner: Well now it becomes a foot race between the good guys and the
bad guys. The good guys are sort of starting behind the gun. They’ve
inherited this application from a development team that really wasn’t
up to speed on security, so they need to get in there in a hurry, start
to do threat modeling on the application, identify the assets, the
trust boundaries, the vulnerabilities and they need to do that while
the bad guys are trying to stay one step ahead of them finding those
other vulnerabilities and leveraging those vulnerabilities to steal
more and more money.
Sima: I bought a Ferrari.
Laflotte: You bought a Ferrari, no way.
Sima: I really bought a Ferrari.
Laflotte: What color?
Sima: Take a wild guess.
Laflotte: You’re going to love the red Ferrari.
Sima: Well I mean if you’re going to – if you’re going to have a Ferrari it has to be red. You know?
Laflotte: Nice, nice.
Sima: I was thinking black, but no. No.
Scambray: Hey guys?
Sima: Yeah, what’s up.
Scambray: I hate to interrupt this love fest but we’ve got an issue.
Sima: What’s the deal?
Laflotte: What do you mean issue?
Scambray: It looks like the SQL injection that we used to get in originally isn’t working anymore.
Sima: That means they’re onto us.
Laflotte: What do you mean not working?
Scambray: It’s throwing a generic error page now. It looks like they’ve figured out that there was a hole.
Sima: So we’ve got some problems then.
Scambray: We could have big problems or it could be a minor setback.
Sima: Well that means that they now that something’s going on. Because they’re starting to fix problems.
Laflotte: Yeah, but they don’t know it’s us yet because they’re not storming these doors.
Sima: Well we know, we covered our tracks pretty damn well.
Laflotte: Yeah.
Sima: But the thing is is that we were going to keep using that to pull money.
Laflotte: We need another way in.
Sima: How are we going to get back in? Well we can – we can probably – we have those lists of user accounts.
Laflotte: Yeah.
Scambray: That’s right.
Laflotte: From the first time, you’re right. From the first time we went in.
Scambray: Did you start cracking those?
Sima: Well yeah, I started running some stuff on there but I sent over
the list to you, so you probably need to use that tool that I wrote and
see what you can get from it. But if we do this, if we do this that
means they’re onto us so we need to pull out big and we need to get the
hell out of Vegas.
Scambray: I agree with that.
Laflotte: Yeah, I agree with that.
Scambray: Let’s take a look and see –
Laflotte: One last pull and then we’re done.
Sima: Yeah, let’s get a million or more.
Knapp: At the hackers’ pad the guys have discovered weak encryption in
the Plaza’s money management system. Running the stolen database
through a code cracking tool they begin deciphering passwords of VIP
account holders.
Laflotte: Wait, wait, scroll back –
Scambray: How about that guy?
Laflotte: Yeah, that guy right there. Yeah, Matt Simmons. That picture –
Knapp: As they scan the photos Duane recognizes the high roller from
the (inaudible) and suggests they log into his account where they
discover a three million dollar balance.
Sima: Big fat bank roll.
Scambray: We could pull your digital camera in, insert a new image.
Sima: That’s what we should do.
Laflotte: Nice.
Sima: We should just put my ID on there.
Scambray: Let’s do that.
Laflotte: Mr. Simmons?
Sima: Yes.
Laflotte: What do you think about withdrawing three million dollars out of our casino here?
Sima: I would. In fact I’ve enjoyed my experience in your casino, the
gambling is excellent, but I’m going to have to make my leave.
Knapp: Now that the hackers have a fitting target they alter data in
the user account so Caleb can access the funds using a reprogrammed
identity.
Samona: All right. So we took a look at some of the SQL injection, could we have missed any? Are there any more possibly?
Brown: I think we’ve closed all those down, but I’m sitting here
looking at the connection string right now and these guys were
connecting to the database as SA.
Samona: So what could they have potentially done besides just get the account information?
Brown: They could have added operating system accounts, they could have other software on the server that we don’t know about.
Viega: Who knows, they could be remote controlling the server right now.
Swiderski: Exactly, basically at this point even if we block them from
access through the Web application it’s almost irrelevant at this
point. They’ve already got access, and I think we’ve got to come up
with a plan here. I think we’ve got several different things we’ve got
to do. I mean we fixed the Web application, sure, but at this point we
have to figure out how to address the future problems with the password
encryption, you know, if that turns out to be an issue, but beyond that
we’ve still got to capture these guys to make sure that they can’t come
back in and do it again.
Samona: It seems like they’ve done everything incorrectly, and this is
a prime example of why they should have went ahead and did their coding
properly to begin with.
Viega: Password system is very easy to crack, I have the client’s password, it’s MisterBig.
Swiderski: That’s his password?
Viega: That’s his password. Were going to have to redesign the entire
password system and migrate all their users. It’s going to be very
costly because they’re going to have to come in and show identification
in order to know that they’re really who they say they are.
Brown: They probably need to repave their database server as well
because we don’t know whether their software is on there. We should
find out whether or not they have a backup.
Samona: What can we do for now to stop this from occurring? I mean if
somebody else can go in there right now and take another five, ten
million dollars, can we shut down the database?
Viega: Realistically they’d lose way too much money and so we can’t do
that. But what we’re going to have to do is let small fraudulent
transactions through but keep a watch on anything greater than 100,000
dollars.
Samona: So basically take a look at some trends –
Brown: That’s correct, yeah.
Samona: -- take a look at large transactions and particularly see if
there are large transactions occurring between the same user.
Brown: It might be a good idea to actually require manager intervention
or something in order to pass transactions that go beyond a certain
limit in order to limit the damage for now.
Samona: What we need to really be doing is we need to go in and catch
these bad guys because they have way too much information right now. So
the client has to be aware that there’s going to more loss and so we
can actually get this thing fixed. He’s dug himself a huge hole and in
order to actually catch these bad guys we’re going to have to let some
of this fraudulent activity continue to occur.
Sima: Fellows? Guess what? Three million dollars.
[others holler]
Laflotte: That’s what I’m talking about.
Sima: That is what I’m talking about my brothers.
Matt Simmons: Good morning, yeah, we want to order some room service
today. What do you mean I don’t have credit here, I’ve got three
million dollars credit here. Wait a minute, I’ve got three million
dollars in this casino. What do you mean we can’t order room service? I
want a bagel.
Knapp: The A team seems to have let everyone down. The casino is
missing 3.4 million dollars and access to the already hacked system has
had its repercussions. Stolen identities and passwords have made the
hackers seemingly unstoppable. Joe.
Stagner: Well, Jessi, criminal hackers, they’re kind of like
cockroaches. Once they get in it can be almost impossible to get them
out. So the A team fixed that SQL injection vulnerability, right, they
used some validation controls to prevent that from being a way that the
hackers continued to attack, but hackers have a toolbox, a set of
standard tools that they use when they attack any sort of application.
In this case because they knew that they might have a limited amount of
time to gain access to the database the way that they did, they
gathered as much information as they could. And in this case that
information included all of the password hashes that were used by the
accounts to log in. So using this cracking tool they were able to use a
brute force dictionary attack to decipher the actual passwords from
those hash passwords. With the password and user name pairs they’re now
able to log in as any user in the system, change the credentials,
change the pass phrase and withdraw that money. And in this case
they’re not just stealing money from the casino, they’re actually
stealing money from the individual patrons in the casino.
Knapp: So the client must be getting pretty worried at this point.
Stagner: Yeah.
Owner: Mr. Simmons, good morning.
Simmons: Good morning.
Owner: I’m the owner of the hotel. I’m here to apologize to you personally for what has happened.
Knapp: Following the heist the casino owner pays a visit to Mr. Simmons
to apologize for the inexcusable security snafu and to reassure him
that everything is being done to correct the situation.
Owner: If there’s anything that you have a question about have my staff contact me –
Knapp: What he is really worried about, though, is the casino’s reputation in the high roller community.
Owner: And my promise that we will –
Simmons: Okay.
Samona: Frank, where are we at with the intrusion seduction.
Swiderski: Well we were looking at it, right, and it looks like there
might be yet another vulnerability here. It looks like it’s pretty easy
to predict session IDs here. I mean it may be as easy as just
predicting somebody’s name who’s logged in right now.
Brown: Yeah, I looked at the cookie. It’s in the clear, you can see the
user’s name right there. We tried it, you can change the user’s name
and you can become them, you can actually impersonate that user just by
changing that thing in the cookie.
Swiderski: Yeah, it’s absolutely as simple as just changing your account name.
Brown: And the guy could be looping through every account right now and draining those accounts.
Samona: So what should we do?
Swiderski: Well we’ve already got the intrusion detection going, so it
might be as simple as just looking at the IP addresses that the session
IDs are coming from, because if you’re hijacking somebody’s session
chances are you’re coming from a different IP address.
Viega: As a matter of fact I’ve been doing exactly that and you might
want to take a look at this. Look at that. All four of these login
names all coming from the same IP address within ten minutes of each
other.
Brown: Well that doesn’t make any sense.
Swiderski: That IP address looks really familiar. What’s your IP address and host mask.
Viega: Let’s take a look at it. We are definitely on the same subnet that is coming from within the hotel.
Samona: So we’re saying the bad guys are likely in the hotel right now?
Swiderski: Absolutely.
Viega: Or they were two hours ago.
Swiderski: Basically all we need to do is get a network admin in here
and talk to him and he should be able to pinpoint the room that they’re
in.
Knapp: The A team has discovered the three million dollar additional
loss. Meanwhile the casino boss arrives to blow his stack. But quick
thinking as they are, they already have a plan in place.
Owner: Gentlemen, I’m concerned, look at me. First of all, 400,000
dollars goes missing, then three million more. Please tell me you have
some answers.
Samona: We’ve gone through the application and were able to find where
the vulnerabilities were and we were able to stop those vulnerabilities
but the bad guys already have all the user names and passwords. Now you
have to know it’s actually going to get worse before it gets better.
What we plan on doing is monitoring the accounts on a manual basis and
trying to take a look and see if there’s any fraudulent activity that’s
occurring amongst the accounts. Now I assure you you hired the best and
we will get this solved.
Owner: I’m putting my faith in you.
Samona: Absolutely.
Knapp: The security team is the last thing on the hacker’s minds as they hit the town to celebrate their jackpot.
So the Plaza is now out 3.4 million dollars. The manager’s flipped out. Where do we go from here?
Stagner: Well, the manager’s flipped out because like most companies
that develop software they’ve been focused on the functionality of the
software and underinvested in security. So they could have hired the A
team to come in before they deployed this application to find out if
these vulnerabilities were there, but instead they waited until after
they had a successful breach, the money’s been stolen and brought the A
team in in crisis mode. So it’s a tough situation for them to – for
them to have to tackle but what the A team has to do now is as they
continue to mitigate the individual risks because the attacks are
ongoing this is actually a good thing, right. So the fact that the
hackers are continuing to work means that the A team can implement
intrusion detection technology, there are lots of tools and
methodologies in order to do that but the basic idea is to be able to
track the activity in the system and then use some trend analysis to
determine which of those activities have a high probability of being
criminal activity. And the more of that data that they can gather the
more that they can pinpoint the location is that the activity is coming
from so they can narrow it down and actually catch the people behind
that criminal activity.
Knapp: So the more that the hackers move within the system the easier we’re going to be able to find them.
Stagner: Right, the more they move around in the system the more data
that they provide to the intrusion detection technology then the higher
the probability that we’re going to be able to narrow down those points
of access and actually catch the bad guy.
Knapp: Tired out from their big night on the town the hackers return to their Plaza suite to dream up some more trouble.
Scambray: Hey guys, I got a problem here.
Laflotte: Man, you always have problems.
Sima: Every single time, I know.
Scambray: This is a serious functional issue, though. The password that we took down Mr. Big with isn’t working anymore.
Sima: This – see, this is what I’m talking about.
Laflotte: Come on, come on, give us a couple more seconds here.
Sima: This is twice that this has happened where they’ve come – we’ve
broken in, they’ve covered their tracks, they’re getting close.
Laflotte: Yeah, come on. Two more minutes.
Sima: Okay, so what are we supposed to get, how are we supposed to get in now?
Laflotte: We’ll figure it out. Hey we are three of the smartest hackers around.
Sima: All right, yeah, we just got three million dollars, I know, I know.
Laflotte: We can do this. 3.4 million.
Sima: All right, 3.4.
Scambray: Right you are, I think I might have just figured out a way to do it.
Laflotte: There we go, see, we give our boy Joel two seconds, two seconds and he’s on it.
Sima: What do we have?
Scambray: When you authenticate you need a user name and a password,
but the token that you get back, the session ID is just generated from
the user name. And we’ve got the list of user names from the previous
hacks.
Laflotte: There’s no way they changed the user names.
Sima: What’s the user name for this guy that we’re supposed to take the money from?
Scambray: I don’t know, but he’s got 25 million dollars in his account.
Sima: Okay.
Scambray: Is that worth it for you to stay in?
Sima: Well I mean let’s do this, I mean but how –
Laflotte: Now all we have to do is just bounce around the different user names we have and find them again. That’s all.
Sima: Okay.
Scambray: It’s worth the risk.
Sima: Are you going to do that?
Laflotte: Yeah, let me do that. Let me jump on that. Can you toss me the cookie?
Scambray: Coming to you.
Laflotte: Awesome, got it. I’m running it through the list.
Sima: These guys can’t be this stupid. There’s no –
Scambray: We’ve done this a million times before.
Sima: I know we’ve done it a million times and you’re right –
Scambray: They can never underestimate the stupidity of the developer.
Sima: That’s right. That’s why we’re – that’s why –
Laflotte: Got him. Got him.
Sima: You did?
Laflotte: Yep. Absolutely. John Heinz. We’ve got him right here. All I
need to do is switch it up, we do the same exact thing we did before
and we’re out of here.
Scambray: Let’s tie him down.
Sima: Let’s do it. Nice.
Knapp: Turns out the hacker’s ego becomes their downfall. The security
team pinpoints the location of the IP address and discovers the
attackers are within the confines of the Plaza.
Brown: He’s in 545.
Viega: All right.
Knapp: They’ve mapped the IP address to a specific hotel room and notified the manager so he can call the FBI.
Samona: Yes sir, this is Rick Samona. We found the room the perp is in.
FBI: FBI, get down, get down!
Knapp: Busted!
So what did we learn from all this, Joe?
Stagner: Well Jessi we learned several things. First we learned that
once they get in it can be really hard to get them out. We also learned
that hackers have a particular mentality. It’s only the fact that these
guys got a little overconfident that allowed the A team to catch them.
What if they’d have waited a couple of months before that 20 million
dollar score, or they waited two months, stole five million dollars,
waited a couple more months, stole five more million dollars, it might
have gone on for a really long time. It would have been much harder to
catch them.
Knapp: So it was the hackers’ ego that got them caught this time.
Stagner: This time they got caught because of their ego. But what we
really learned is the best solution, the most cost effective solution
is that companies that develop software need to think about security
and invest in security before they deploy their applications.
Knapp: So it’s better to be safe than sorry.
Stagner: That’s right.
Knapp: Cheers to that.
Samona: So since we had the full cooperation from the casino we managed
to actually map out which room number the IP address was coming from
and target where the perpetrators were. We called up the casino manager
and indicated to him what room they were in, he sent up the FBI agents
to actually crack down on these people and sure enough they caught them
red-handed in the process of stealing more money.
Viega: They were right under our nose.
Samona: Busted!
Sima: This kind of stuff that we’re seeing in banks and the kind of
attacks that we’re seeing in this like online casino application are so
common it’s unbelievable.
Scambray: A lot of people put a lot of assumptions in the technology.
They think that really smart people cooked it up therefore it has to
have really good security. In fact the case tends to be the opposite in
a lot of instances. The technologists have been so smart, they’ve
enabled so much functionality, the ability to be so creative with
software development that really you have the opposite situation in a
lot of cases.
Sima: And I’m going to have to tell you that out of my experience, out
of all the things that I’ve done I will tell you that every single site
or company can be broken into.
Viega: The lesson learned here for people who deploy software systems
is if they’re protecting critical data keep them separate from the rest
of the world.
Laflotte: Typically what we find in the field is security has to be
spoken of upfront, so in formal design and even informal, when you’re
developing an application, if you don’t want to waste time and money
the thing you need to do is design the application first, know exactly
where all the features are and then you set all of your developers on
the task of building that application. Security needs to be one of
those features, one of the things you talk about in the beginning.
Viega: For people developing software, you need to start thinking about security.
Sima: This kind of stuff that we’re showing, the SQL injection, the
session hijacking attacks, is application level security issues are
everywhere.
Samona: Now the casino application they waited until they actually were
attacked to go ahead and fix the problem and once you’re attacked it’s
almost too late.
Viega: For the bad guys the lesson is don’t get caught if you’re going to do it.
Brown: I would like to just take a day, one day out of every
developer’s life, and just have them learn the basics about security.
And then here’s the thing. It’s not just the guy writing, calling the
security APIs that needs to know this stuff, it’s not the guy writing
the authorization or the authentication system that needs to know this
stuff. Every developer needs to know this stuff.
Swiderski: Once you’ve gained access to a system that system has to be
considered compromised from then on out. Even if you patch the
vulnerability that the attacker used to gain access there’s all sorts
of other things that they could have doe in the meantime.
Brown: Well the helicopter ride was fun.
Knapp: I want to congratulate the security A team. They did an awesome job at stopping and busting the hackers.
To get more information on what you need to know to create software
that’s more secure, check us out at thecoderoom.com/vegas. Also, be
sure to complete the short survey to tell us what you think.
I’m Jessi Knapp. We’ll see you next time on The Code Room.
Samona: I think the biggest benefit out of The Code Room isn’t the
enjoyment that we got out of it, but the hopefully the educational
process that developers and organizations will learn sort of by taking
this sort of fun type of experience where we had a lot of fun and
hopefully the viewers watching it will have a lot of fun but actually
learn from it, because these are real life situations that are going to
– that are occurring now and are going to continue to occur.
Knapp: Oh, and so this other thing, I’ve been getting all these emails
from programmers and I don’t know if I should open the attachments or
not.
Stagner: Well, do you know if they’re good guys or bad guys?
|
Top of Page
|
|
