DEF CON 29 - Sick Codes - The Agricultural Data Arms Race Exploiting a Tractor Load of Vulns

00:05 - I’m your host, Sick. Codes, And today we’ll be exploiting a tractor load of vulnerabilities in the global food supply chain in good faith.

00:14 - So I just want to start off with a quick photo.

00:16 - It’s from about the 1960s, and it’s of a farmer using a hand tractor.

00:21 - This is a hand operated tractor, as you can see.

00:25 - Compare that with the brand new John Deere 7450 ProDrive Autonomous Forage Harvester with GPS sensors all over it, a chainsaw, pretty much at the front and weighing over, 10 or 15 tons.

00:41 - So this is a monster of a device. Like I said, it’s autonomous.

00:45 - So it can run off if it’s in the wrong hands.

00:48 - So I just want to start by saying none of the research today was paid for, it’s all done in good faith, and nothing today represents me or any of the people involved, our employers, past employers, or future employers.

00:59 - We’re not under any gag orders. The only thing we are sort of wary about is vulnerabilities that we can’t mention that we would like to mention that’s still going with some vendors and all the content in the slides is Creative Commons Zero apart from any other stuff that relates to other brands in that case, all trademarks, logos and brands belong to them and remain the property of their respective owners.

01:21 - Just quickly on myself, I’m a good hackerman. I’ve got a GitHub, a Twitter, a newly built LinkedIn.

01:27 - I’ve got a couple of massive projects. My biggest project is probably Docker-OSX, with 15k stars on GitHub and 100k Docker pulls.

01:35 - So pretty much just QEMU Mac OS, but you can do a lot of stuff with it, including iMessage, for security research purposes only.

01:42 - I just want to start by showing you a quick map, emphasizing the amount of brown little spots all over the place.

01:51 - And what these are, if you don’t know already, which a lot of you might know, is they’re farms.

01:57 - Yeah, you can actually zoom right into those farms.

02:00 - And I don’t want to obviously dox to anyone, but yeah, if you were able to access all those farms, you would be able to do things like over-spray chemicals on to the field.

02:11 - So if you were able to over spray chemicals on the field, you could permanently denial of service to that farm by simply over spraying one season, but literally loading up the fertile ground with too many chemicals.

02:22 - And then the next year, or even the next 50 years, it will be unfertile or unsuitable ground for use.

02:27 - So you could permanently deny service to a farmer’s crop by literally a few lines of malicious code.

02:34 - So that would, that’s what I’m trying to get out here, that denial of service is a huge impact for the agricultural industry in that say, for example, coming to harvest season right now is winter wheat harvest for some farmers, depending on where you are in the US but you can actually denial of service those farmers.

02:50 - And that also occurs during seeding time or planning time, and also spraying time, any one of these parts of the supply chain of food and Ag, every single one of those parts needs to be online, 99. 99999 SLA.

03:04 - If it does go down, farmers will tell you that they’re pretty much screwed for that season and they can lose crops.

03:11 - And some of the crops cost hundreds of thousands of dollars.

03:14 - And if that information or the login details or something like that was provided to a third party, AKA state actor, they could do something like a malicious update to the tractor.

03:23 - They could play with the ECU, they could send it to overdrive, they could drive it into the wrong location.

03:28 - They could send it in to plant the wrong field.

03:32 - Most disturbingly, one of the guys mentioned this on my blog I did earlier is that they could offset the tractor by X amount of degrees or coordinates, and actually drive the tractor onto the highway into a river, through a fence.

03:46 - And another example of permanent denial of service.

03:49 - So what we consider downtime in a website for five minutes might be the difference between a tractor driving, auto track goes off, tractor keeps driving, tractor hits a tree, or injures someone.

04:03 - And the big question here is why did we actually start looking at agriculture, and why is it such a big issue, and why didn’t a lot of people start looking at it? The main reason was that nobody else was actually looking at it.

04:13 - So that’s probably the biggest reason. And the biggest reason that I started looking at it was someone who I know very well named Paul Roberts from The Security Ledger mentioned to me that, “Hey, it’s really weird that there’s no CVEs on John Deere’s products. ” And I go, what does John Deere actually have? And then I thought about it for a bit and did a bit of research, and he introduced me to a couple of guys.

04:33 - One of the guys, namely the first guy that I met was Willy Cade, and his grandfather was actually on the board of directors at John Deere.

04:40 - And his grandfather actually had a patent with John Deere.

04:44 - And that was including this manure spreader that’s down in bottom left.

04:48 - And Willy, obviously, knows lot about farming and a lot about the history of the activities of some of these farming companies and all the way through to a fully autonomous GPS controlled motherload of just steel and aluminium and danger.

05:04 - And also the emphasis of them relying on all this equipment to feed every single one of the people in the world.

05:12 - And not just that, but also feed all sorts of different industries, biofuels, biogas, carbon emissions, et cetera.

05:21 - The second guy that I was introduced to is Kevin Kenney, he’s a big right to repair enthusiast, as is Willie.

05:27 - Kevin lives out in Nebraska, he’s an engineer and a farmer, this photo is from a Bloomberg article that he did in relation to how John Deere is screwing over a lot of farmers.

05:39 - And you can see he gets the gravity of what’s going on by the size of the wheel that he’s sitting in.

05:46 - These aren’t ordinary wheels. They’re not cheap to replace either.

05:51 - I’ll just quickly breeze over the hackers. We’ve got myself, wabaf3t, D0rkerDevil, John Jackson, johnjhacking, rej_ex, which is Robert Willis, we’ve got w0rmer, ChiefCoolArrow, who is currently MIA, don’t know where he is, and Kelly Kaoudis, who also helped us in a previous project.

06:10 - So every single farm is connected, whether it be through 5G, which is incoming.

06:14 - Obviously we have LTE 4G, we’ve got 2G and 3G, the older connections or slower connections.

06:21 - LoRa works out in the field because there’s no obstructions and everyone can actually communicate over long, long distances, and there’s no obstructions usually on the farm.

06:29 - Obviously we have WiFi, there’s GPS involved, GPRS, which is still involved in Ukraine.

06:34 - And then we’ve got three different types of major corrections that I’ve mentioned called WAAS, RTK and NTRIP.

06:42 - So WAAs and RTK are radio-based, but then there’s NTRIP, which is kind of like NTP.

06:47 - So basically ping-based location information.

06:51 - So pretty much pinging back to servers or WiFi signals to be able to find your device based on triangulation of that ping time.

06:59 - This is a rough diagram, not to scale in any way whatsoever, but that’s GPS and then we use GPS plus another one of those corrections signals to actually triangulate the exact position of a device.

07:11 - And you can imagine planting and not having that sort of accuracy and be planting every seed would be, for example, or every row might be dipping into the next row or the row before it.

07:23 - And the data, what does it do? Well, it provides a price of corn.

07:26 - Corn is used in both ethanol production and it’s also fed to cows to make it livestock and other types of beef and pork, et cetera.

07:35 - But it’s also used in ethanol. And all of that data is also considered in some way or another trade secret.

07:41 - Considering all the data that a farmer gets, which is, you can see in the top left of the image that is actually the row with a overlay of the farm, again, it’s quite dark, but it’s an overlay of the farm getting planted on to, and you can see that that data is technically a trade secret and who has access to that data? Because all of that data at the moment, as you can imagine, is getting shoved back through a 4G or LTE connection or until the farmer gets back into range, if it gets sent back to the operation center, which John Deere owns, and that’s called the John Deere operation center, which we hacked into, and we’re getting to that in a bit.

08:17 - So the biofuel sector is a sector of the agricultural industry that relies on amassing carbon dioxide from the atmosphere and then burning it as biofuel.

08:28 - And this is the windows XP background, obviously, and at the bottom, it’s being used as a vineyard at some point in time.

08:34 - I don’t know if it’s exact one, but it looks good.

08:36 - Other uses of the data include carbon credits, the carbon offset market, and a guy named Shannon Sedgwick who’s a farmer in Australia to a managing director of a couple of Ag security companies.

08:46 - He mentioned to me this, and I thought about it and looked into it a bit more.

08:49 - And apparently it’s mandatory in some places, for example, Australia, depending on which industry you’re in and it can be voluntary.

08:55 - So if that data were to go missing, okay. So if that data was to go missing through some sort of attack, then that would be catastrophic for that sort of government rebate-based industry or mandatory industry.

09:06 - Now you can actually simulate, this is my developer account at John Deere.

09:10 - You can simulate those devices that I showed you earlier in the tractor cab.

09:14 - So you can simulate, for example, a self-propelled forage harvester I’ll give you an example of one now.

09:20 - Now this is one, this is a big powerful, probably 300, 400, 500 horsepower machine.

09:26 - It just shreds, eats up everything that it comes into contact with.

09:30 - And that there gets used as forage, which forage is usually used as feeding or biofuel or biomass and things like that.

09:38 - And basically you can have look at the big teeth on it, it will shred anything that it comes into contact with.

09:43 - That’s an R thousand series, it’s got AutoTrac, so that will automatically drive and steer the tractor for you, it’ll stay in line using AutoTrac, Auto Fill it will automatically calculate how far it has to shoot the auger.

09:58 - And it’s got a display it’s the 4640 based on Yocto Linux, which we’ll get into later, and it’s covered in sensors and all this sort of stuff, and it will automatically adjust and change speed.

10:08 - And it’ll line up with the cart next to it, grain cart, make sure it’s all lined up.

10:12 - It’s all autonomous and see the big yellow dome.

10:15 - It’s pretty small, it’s on the top of the head of the tractor, that’s the GPS unit.

10:20 - I’ve got auto lock for staying in line. And then all that data gets sent back to your Windows 7 computer at home, Windows Vista.

10:28 - And that gets translated through to someone on Windows 10 at the John Deere operation center, someone manually handling the data.

10:37 - We’ve got some awesome features like John Deere connected support, where someone out in the middle of a field in a undisclosed location, you can actually log in to your tractor and control it remotely per se, which is fantastic.

10:51 - As you can see, we’ve got remote access, so we just remote into the tractor at any time.

10:55 - And that includes staff members. Those two massive things I want to point out on that remote access display screen is that one, you can send files to a tractor, two, it was copyright in 2014, so it’s quite old, And three, you can remote access the tractor.

11:11 - That’s really important because what we’ll show you soon is that we were able to manipulate this in some way.

11:18 - And then John Deere service support. Also, obviously there’s a threat actor on the inside.

11:22 - They can just automatically access anyone’s tractor through the master dealer service admin portal, which is fantastically set up so threat actors can do little amounts of damage, hypothetically.

11:36 - So then I started to dip my feet in and basically I’m just gonna quickly glance over the first vulnerability, which was a username enumeration one where I could obviously enumerate user names based on that.

11:49 - I’ve got the fortune 1000. I won’t go into it cause it’s kind of boring, but I got the fortune 1000 CSV file, submitted that as a API request, and got back 20% of the names, sorry, 20% of those accounts being registered.

12:03 - This is me adding pieces of equipment to my farm that I technically don’t own for research purposes, but I’ve just picked up these numbers from a auction website and there’s a lot of data involved.

12:13 - So all it’ll say is this machine has already been added, but in the response there’s a ton of data.

12:19 - So all it will say is equipment already exists.

12:22 - And I’ve had to skip a little bit here because there’s a lot of PII, including first name, last name, leasee, address line one, address line two, and everything like that.

12:30 - And I’ve had to skip that obviously, cause it’s PII.

12:33 - So Vice covered this, writer named Lorenzo, great guy.

12:37 - He covered it in a story, “Bugs Allowed Hackers to Dox All John Deere Tractor Owners”.

12:42 - So originally the article did say all, but John Deere apparently reached out to them as opposed to reaching out to us and said that it’s only some tractors and the actual conclusion there is it’s only new tractors, which is probably even worse.

12:57 - So shortly after that, a hacker named wabaf3t reached out to me and told me he’s got five XSS vulnerabilities in the John Deere website.

13:06 - And I asked him if he could reach out to me on signal, we can have a look.

13:10 - And that’s when we found his motive, so I said to him, there’s a really funny comment where I said, ah, “fuck doing this for free” where he said, “well, at the end of the day, I’d rather do this for free than lose food”.

13:23 - And someone’s got to save their dumb asses.

13:26 - And he obviously mentioned it to John Deere.

13:28 - And he said that he’s got vulnerabilities to report and we try to report it to John Deere.

13:32 - So we got, we were granted safe harbor, which means we can do whatever the hell we want, as long as it’s in good faith and they won’t do anything in terms of legal issues.

13:42 - So once you click that link, it brings you to their website and that allows you to submit a form, and then that form gets you onto their hacker one program of which I was the first researcher in.

13:52 - And I’ve now since left the program because it’s a NDA program.

13:55 - There’s no bounties, they’ve got swag apparently now, which I don’t give a shit about because I don’t want to give my address to them.

14:01 - But here’s the first vulnerability, the XSS.

14:02 - So its basically just a DOM based XSS, which I’ll get into later, but this is just me pretty much showing you that it exists.

14:09 - Obviously XSS is a really basic vulnerability, but what it does show you is that they’re not taking into consideration basic vulnerabilities.

14:16 - They’re not taking into consideration the fact that somebody can just literally produce basic 2015 level XSS on one of their major password sites.

14:26 - What do I mean major, because it’s a Supply Network page and I could just log in as a guest or not even log in, and we can also see the dev or QA part of the supply network, which was even more exciting.

14:38 - So this is the John Deere supply network page, where you can, due to new functionality, just supply a purchase order number and receive all the information back related to a purchase it’s for suppliers only, but we were able access it, of course.

14:54 - And as you can see here, this is me just putting in a star and then the response, apparently, for some reason, it gives you a invoice number of 0106, which we then further use to try and enumerate other invoice numbers in some way.

15:11 - And we ended up seeing that it’s an IBM Db2 database, which I didn’t have much knowledge about, but what it did do in the response is give us a really nice constructed error message that shows the offending query and showing that we were able to inject it in some way, because that was not the original query whatsoever.

15:29 - And some more errors from a John Deere copyright 2011.

15:35 - And for some reason, they still had the 1999 version of their portal up with lots of cool different buttons we could press and the single sign-on didn’t work.

15:47 - So I don’t know why it was still up or we didn’t test it enough, but that probably should not be there.

15:52 - As you can tell, it’s quite old. John Deere employee access, which we obviously shouldn’t be able to just enter.

15:58 - It’s the John Deere University, that’s the John Deere Machine Book.

16:03 - This is a really funny device, actually. This is the place where you go to book machines, demo units to provide to farmers, like YouTubers or something like that, like influencers, or demo units to whatever.

16:15 - And there’s a little DOM based XSS that we put in the bottom of the reservation page.

16:18 - You can see that it’s got the back tick then, sorry, it’s got the double quote and the right arrow.

16:24 - So not only that, but we were able to book units and spec units, were able to cancel appointments, reassign tractors to certain locations.

16:32 - It doesn’t sound exciting, but we did do, which was kind of exciting was we just injected the database and pulled out every single row for every single session.

16:40 - But yeah, we could see every demo unit that was ever provided and all the John Deere user names, email addresses that were use to book those units.

16:50 - Then we found something specific, okay. So this is the Dere single sign on SAML edge server instruction ReadMe file.

17:00 - So John Jackson and rej_ex discovered a CVE end platform named Pega or Pega.

17:07 - And what it is is like a default admin credential style.

17:10 - By the way, if you don’t change it, you pretty much just give everyone access to your remote Pega server.

17:17 - That’s what we did. It’s got a 6. 6 for some reason, NIST gave it a 4. 9.

17:22 - I’d probably give it a 7 or an 8 depending on what the company is, but in this case, it completely destroyed integrity and confidentiality of John Deere’s one.

17:33 - As you can see, we had access to the single sign on, the SAML, there’s a John Deere backup part there, we’ve got the request approval, we’ve got all sorts of cool stuff.

17:44 - There’s the edge server we got from there. And then interestingly from that information we got some administrative Pega credentials, as you can see I’ve had to blur out the password and the system ID name and the time difference and all this sort of stuff, just to make sure you can’t, I guess, replicate it, but it’s the process Pega commander.

18:05 - Secondly, we’ve got a portal admin server data, administrative account credential password here as well, which is ridiculous, we shouldn’t have this.

18:14 - We’ve got a security audit log, which we should be not able to view.

18:20 - And we could see our own selves in there and then Pega admins logging in for some reason.

18:25 - And then we had this gold piece of whatever the heck it is.

18:30 - It is their Okta signing certificate, I believe.

18:35 - So what we’ve got blurred out is the ID number that relates to their Okta account.

18:40 - We’ve got the KMS, which is their, I guess is their the Pega administrative Okta address URL that goes to signed tokens, et cetera.

18:48 - We’ve got the original signature password blurred out.

18:51 - We’ve got the prod symbol there, so you know it’s in use.

18:54 - We’ve got the original decryption password also blurred out for obvious reasons, with the signing certificate details.

19:00 - And you can see clearly that it’s John Deere and it’s Okta related.

19:04 - And furthermore, I’ve only blurred it out once for some reason, and they’ve get the single sign on, the SAML URL related to the John Deere side.

19:11 - And then down the bottom, we’ve got a decryption certificate and a beautiful expiry out of 2029.

19:16 - From this, just backtracking, this can pretty much allow us to upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log in to any third party accounts.

19:32 - We could literally do whatever the heck we wanted with anything we wanted on the John Deere operation center, period.

19:38 - And that’s when we pretty much stopped because we pretty much had rope on the whole organization.

19:44 - And, obviously we gave all this information directly to John Deere in record time, we actually had to get CISA involved because they were not responsive.

19:51 - And CISA actually took over for a bit and helped them remediate the vulnerabilities.

19:56 - Let me move on to the second manufacturer. So Case IH, this is the last one we’ll look at because I’ve only got 20 minutes and the other ones aren’t actually fixed yet, but Case IH is probably the biggest competitor.

20:06 - So that’s Case International Harvesting + New Holland.

20:08 - They all amalgamated, they like to buy each other out.

20:11 - And they’re also super connected tractors. It’s the Magnum series with a customizable display, same sort of stuff, but that’s an Android based one, Fantastically, again, we’ve got remote access 300 miles away.

20:24 - I think you can get access from a little bit farther away than that, but your Case IH dealer will be able to access your account remotely from literally just your ID of your account.

20:35 - And that’s the guy, there. I’ll just mention this briefly, cause he’s got 24 pens in his little pen holder.

20:41 - I just think that’s funny, but yeah, he’s controlling your tractors, so, worry about that.

20:47 - This is the JavaMelody server that we found with Case IH.

20:51 - Yeah, we could just browse the JavaMelody server for your sessions.

20:55 - This was all Brazilian data, for some reason.

20:57 - I forgot to blur out his IP, but basically he’s a Chrome user, I’ve got his session ID.

21:02 - So I can obviously just replicate that session.

21:05 - I can just log in as that user by duplicate, just copying that session ID in the top left that I blurred out.

21:10 - When there’s a list of sessions and how old they are and all the attributes allowed to them, or sorry, attributes assigned to them like, you know, user name, first name, last name, et cetera.

21:19 - I’ll just show you another user we’re looking at here.

21:20 - It’s got the full name bottom right which I have to blur out, obviously, scope, so what they’re allowed to use, and then they’ve got the session ID again and their IP address.

21:29 - And this is all publicly assessable, which is ridiculous.

21:32 - And then the bottom of that JavaMelody, if you’ve used it before, there’s a couple of cool functions.

21:36 - You can do all sorts of cool shit like invalidate all the sessions or execute the garbage collector, or you can even reboot it, which we accidentally did, for research purposes only.

21:44 - Or we killed one process and then took a while, it came back on the next day.

21:48 - But yeah, just by having that, just as an example, that’s an example of a denial of service loop that was done in good faith ops.

21:55 - It was accidental. We can see a lot of stuff we can do with JavaMelody.

21:59 - First of all, it shouldn’t be exposed. Second, we shouldn’t be able to invalidate everyone’s sessions and we shouldn’t be able to see them either.

22:07 - And then I’m just honing in on the invalidation there.

22:11 - So we actually had a lot of hard times getting into contact with these companies.

22:14 - I’m talking like, we’re talking like weeks to get in contact with these companies.

22:18 - Absolutely ridiculous. This is an email that we sent in April, printed out bound into a book by Willie and delivered, hand-delivered to the John Deere headquarters because they wouldn’t reply to us in any way, shape, or form, just reminding them that we’ve identified a ton of risks, mainly that we can log in as anyone in John Deere’s platform, and that should probably get looked into.

22:44 - And we hand-delivered this one. So this is a photo that Willy took of the CNH headquarters up the road from his place in Illinois.

22:52 - And you can see there it’s got security office.

22:54 - So that’s obviously where we dropped it off, COVID restrictions were in place.

22:57 - So it was pretty hard to get in touch with someone there Willy said, but he eventually handed it off to someone who had no idea what they were doing with it, and we didn’t actually hear back from them about this.

23:08 - So we ended up getting through to them in the compliance portal, weirdly enough.

23:12 - But the only way to get in contact with Case, I rang them a few times and they were extremely rude, I’ll put the phone calls on my website, they’re hilarious.

23:20 - They’re actually like bizarre the way that they spoke to us.

23:23 - But the way that I got into contact with him is through this weird link in their compliance and governance page called the CNHIndustrialComplianceHelpline. com So when you read it, when you go to that website, you get redirected to a third party called Navix global, who’s very popular in this sort of field.

23:40 - EthicsPoint it’s called, where you can get in touch with a third party that will relay info back to the manufacturer.

23:48 - And we ended up chatting to them and asking them, “is it safe to provide the reports over this channel?” They said, “we are Case. ” I said, “are you sure? It looks like Navix to me. ” But yeah, apparently that actually works and eventually we got in contact with them.

24:00 - they fixed them, and then we never heard from them again.

24:04 - Just back on John Deere. And I’ll just finish with this unit.

24:07 - This is the MG 4G LTE gateway. This is the brains of the device.

24:11 - This is the brains of every tractor. It goes on every tractor and apparently goes on buses, as you can see in the top left-hand corner, this is a fully loaded device, runs Yocto Linux, certified in 70 countries, whatever that means.

24:25 - A full IP 67 container, so it can run in snow or super heat.

24:30 - It’s got SIM card, it’s got satellite connections, it’s got WiFi connections, it’s got Bluetooth connections.

24:38 - And here’s what it looks like with the IP 67 case all hooked up.

24:42 - And this is what it looks like with a JTAGulator hooked up to it.

24:45 - And we pretty much still hadn’t got access to this device.

24:48 - It’s proving to be a little bit difficult and I actually spoke to the guy, Joe Grant, who made the JTAGulator about it, and he gave me some pointers about it.

24:56 - The easiest way to get around it would probably be just to ask John Deere for the source code.

25:00 - So that’s what’s ongoing at the moment. Apparently we’re allowed to obtain a complete copy of the corresponding source code for the entire device, which I’ve sent to them about two months ago and I’m still waiting.

25:10 - And apparently it’s in the works, and they’ve said to me that I’m getting it in a few weeks and I don’t understand how it could take a few weeks to de-sanitize a source code project where someone prior to me has probably has actually asked for the source code, so they should be just on hand.

25:27 - I don’t really understand how it can take weeks to get a GPO request to them done.

25:32 - And secondly, it’s valid to anyone who receives this information, so you don’t even need it.

25:36 - And apparently they were asking us for serial numbers and stuff, and what’s our serial number, but I refer to the offer, which says refer to their offer, which is valid for anyone in receipt of this information.

25:47 - What I found actually, delving into this device is it’s got a Qualcomm chip in there.

25:51 - And we all know that Qualcomm has serious problems at the moment, the MDM 9215 chips specifically, along with about 70 chips that run Snapdragon and things like that.

26:05 - Pretty much a monthly CVE roster for these devices like critical, critical, critical, and high ones.

26:10 - And so it says at the bottom there, OEMs have been notified and encouraged to patch these issues.

26:17 - So I’d say if you’re not being encouraged to patch the issues, you’re actually insane.

26:21 - Cause these are ridiculously vulnerable bugs.

26:25 - You can see the top one there 2020, and the bug was actually published in middle of 2021.

26:29 - So it’s a serious, critical vulnerability that there’s not much information about, but just patch, patch, patch.

26:36 - And I’ll just say, thanks for everyone for listening.

26:38 - This was originally a 45 minute talk. You can visit us all on Twitter.

26:41 - We’ve all got different Twitters, but you can Google us.

26:43 - And thanks everyone for watching and hope you guys have a great end of your DEFCON.

26:48 - And get involved with the farming industry, there’s no barrier to entry.

26:52 - It’s a really cool industry to get involved in.

26:54 - There’s a lot of YouTube videos about how things work and you can really find out some interesting stuff and get some value out of hacking farms because all the work that you do is pretty much used to feed everyone.

27:04 - So thank you and have a great night, everyone, and thanks for listening to the talk. .