Company Thanks Guy Who Alerted Them To Big Security Flaw By Sending The Cops... And The Bill
from the this-is-why-white-hats-go-black dept
We've seen before that organizations don't seem to react well to outside security folks pointing out vulnerabilities in their systems. They very often take a "blame the messenger" approach -- as if pointing out a flaw suddenly makes that flaw come into existence. But one company seems to be taking it to another level. That Anonymous Coward points us to a story in which a security professional found a big and ridiculously obvious bug in the website of an Australian investment fund, First State Superannuation. Apparently you could see other people's accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line. This is the kind of extraordinarily basic mistake that I thought had been eradicated a decade ago. Apparently not.But the company that runs the fund, Pillar, went quite crazy about this. While the company did fix the security hole, it also sent the police to interrogate the security researcher, Patrick Webster. Pillar also sent a letter to customers (pdf) in which it suggests that Webster created this massive security flaw, rather than their own dreadful programming:
It has come to our attention that a member of First State Super, who has online access to their account, devised a way to view an image of your statement.And then, to add insult to injury, Pillar sent Webster a letter saying he broke the law, they were closing his account, and may seek money from him to fix the vulnerability:
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.Yup. Help Pillar out, uncover a basic programming/security mistake that puts the info of tons of people at risk, and get punished. Pillar apparently prefers to have people never report any problems they find with its system at all, keep its head in the sand, and instead allow malicious hackers to run wild through a totally insecure system. Brilliant work.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.
[....]
In addition, the Trustee reserves its rights to require you to allow it's (sic) IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.
In the meantime, the Trustee has suspended your online access to the Member Section of the Fund's website.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, blame the messenger, patrick webster, security, vulnerability
Companies: pillar
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not that I've ever been able to find a security problem, but I do probe; if whatever website I'm using has security so bad even I can crack it, why would I continue to use it? (And being aware of security problems, why wouldn't I let them know so they can fix it?)
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
I've personally done exactly what he did on a number of websites, a very tiny amount had the same problem. I could see other people's things which I shouldn't have been able to. And I'm no "hacker". Just a guy who is curious about random things and said "I wonder what would happen if I change a number and hit enter".
Which means I need to stop doing that. If this is any indication of where things are going. I'd hate to have the cops sent my way, as well as a bill, and blame for the problem for a website/company's OWN shortcomings.
[ link to this | view in thread ]
[ link to this | view in thread ]
Next, you need to read the source, wherein Patrick Webster not only admits to illegally accessing other people's accounts, he submitted WRITTEN EVIDENCE to the company of accessing a thousand other accounts as proof of their vulnerability.
Neither side is going to come out smelling like roses, but Webster really put his foot in his mouth on this one.
[ link to this | view in thread ]
In the future, he should post the "hack" anonymously, then sue them for allowing the security breaches that inevitably will ensue. It's the safest course.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
He should have exploited the flaw
[ link to this | view in thread ]
Re: Re:
Better I get fined and jailed than a real criminal be able to grab everyone's info, do the whole identity theft thing and probably get away scot-free.
[ link to this | view in thread ]
Re:
The linked source says he only accessed a former colleagues report. Lemme check this on the web with other sources before I call bullshit.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
What I'm gleaming from multiple sources is that he DID NOT access anyone's reports besides his colleagues; he wrote a script that could access everyone's reports and sent the script to IT guys at the company.
[ link to this | view in thread ]
I've done that
Did that with my ebill for my mobile phone provider and started seeing other people's bills. I alerted them immediately, and the system went down for a couple hours and when it came back up it was fixed.
A few days later I got an email from the chief privacy officer of the company (I think that was his title) with a "personal" thank you for pointing it out.
[ link to this | view in thread ]
Re:
I think I speak for 99% of the 99% when we say we don't want you around.
[ link to this | view in thread ]
After all, that's what millions of people believe about global warming. If we tell the earth it's all a hoax then things will stop warming up! We just need to tell the website that the security flaw is all a hoax by a wannabe hacker, and the website will act as if the problem never even existed in the first place!
[ link to this | view in thread ]
Re: Re: Re:
I think what's needed is major changes in regards to companies' security policies online. If someone finds an exploit, they should be able to let the company know without fear of prosecution for pointing out something they should've been made aware of as a potential security risk (especially if they did no harm in the process of pointing it out). If it's something MAJOR that the company should've been on top of in the first place, the company should be held accountable and fined (and not "slap on the wrist" fined). Or perhaps the CEO. Like that, they'll learn to take our data security a bit more seriously.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Exploit that sh*t for personal gain.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Failed to understand corporations and bureaucracies.
Webster, indoctrinated in the myth that corporations are good and motivated by "excellence" rather than sheerly money, now knows different.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Bank Security
He checks this out and yep, it's able to be opened with no effort, and the next one too, and the next one...
Then he tells the bank their safety deposit boxes are all broken, they might want to check into that.
The Bank throws him in jail for robbing the place.
[ link to this | view in thread ]
Re: Re: Re: Re:
Would existing privacy laws cover this sort of thing? Can we apply the 'moron in a hurry' test to "security" measures like this?
[ link to this | view in thread ]
Re: Exploiting the exploit...
I smell law suits with lawyers already salivating at the chance to take Pillar and its funds for an inconvenient ride...
[ link to this | view in thread ]
Lesson in dealing with corporacies
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
I'm not sure. Would they? And if so, what happens to Sony (after the PSN fiasco where people's data was stolen)? Even more so, what happens to Sony now (When they're starting to include in their Terms of Service agreement that customers can't/won't hold Sony responsible for any f*ck ups, even if they are clearly Sony's fault. And if you don't agree to the ToS, then your "only does everything" PS3 becomes a much more useless item.)?
Things like this are what make me shake my head in wonder. I remember less than a decade ago (I'm only 26) that the customer was always right and customer satisfaction was at the forefront of most corporations business practices (I said MOST, not ALL). Now, hahahaha.
[ link to this | view in thread ]
Depressed Computers...
> a totally insecure system
Unsecure, Mike, not insecure. I'm fairly certain that the company's system isn't suffering from self-esteem issues. ;-)
[ link to this | view in thread ]
Re:
Anyway, back on topic, who wrote that system, monkeys?!! This is not a mistake a self respecting programmer/designer makes.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: I've done that
[ link to this | view in thread ]
Re: Depressed Computers...
[ link to this | view in thread ]
Re: Depressed Computers...
[ link to this | view in thread ]
Does Business 2.0 still run the "100 worse decisions of the year" article?
[ link to this | view in thread ]
If only...
Even if there is such a law, I'm sure that the corporations at most would pay a simple and small fine (while raising the money from customers, so it doesn't come out of the "company profits") and be on their merry way. Saying "We're looking out for our customers best interest", when they're really only looking out to cover their own asses from their own mistakes.
Spin, it's always about spin.
[ link to this | view in thread ]
By the way, if this does constitute a crime, this could be easily turned into harassment along the lines of 'swatting.' Send someone a phishing-like disguised email with a link to confidential information that they shouldn't have access to and all of a sudden they can get arrested for clicking a link....give me a break.
One other thing though...holding entities accountable for breaches is a dangerous game. What would be considered "reasonable" measure of security by some court case today could be extremely negligent 5 years from now. And we all know how well the courts keep up with technology in their rulings.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
What do you expect from a continent inhabited by the descendants of criminals ... ;)
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Here's some incentive for you: http://www.aussiecooking.com.au/
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Depressed Computers...
[ link to this | view in thread ]
Re: Bank Security
[ link to this | view in thread ]
Re: Re: Re:
The fact that their server responded to a request for any account means, technically, they had no access control measures to circumvent.
Pillar refers to this as "unauthorized access" but their server responded with the data, and had every opportunity to apply whatever authorization logic to the request they wanted.
This analogous to phoning up a bank, asking for details of any account, getting it, and them blaming you. He asked for it, they gave it to him.
What this really shows is an epic lack of understanding of web app security on the part of Pillar. Anyone banking with them should close their account NOW, keeping you money with these guys is just begging to get it snatched.
[ link to this | view in thread ]
Re: If only...
Attempts to legislate reasonableness often spin out of control rapidly into bureaucratic nightmares. Legislation is not a panacea. Any proposition that just says "Oh they should just make a law and then this will never be a problem" is hopelessly naive. A new law may make a situation better or worse, but it *always* comes with a cost, and that cost may be far higher than the cost of the problem it tries to solve.
[ link to this | view in thread ]
Re:
At least he doesn't appear to have any criminal charges hanging over his head.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Depressed Computers...
Your more better english correction are very appreciateful.
I unknow what this place would becoming with not the helply advice of peoples who have clearful comprehended of these language. That would be humoury.
[ link to this | view in thread ]
The real mistake...
As soon as he found the flaw he should have called, closed his account, then taken them to court for allowing his personal information to be accessed by criminal elements though a ridiculous lack of security.
Doesn't matter that he doesn't know if some criminal had ever looked at his information. It was made available to anyone by a company that was tasked with protecting it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: If only...
While some legislation lays out specific techniques that must be followed, they typically include statements to the effect of "Use of all reasonable data security best-practices".
[ link to this | view in thread ]
Re:
I run a team of web app devs, we deal with sensitive data, and if a junior dev did this, he would be pulled from the project and put on remedial web training for a couple days. An intermediate or higher dev would be summarily dismissed.
This is basic, basic stuff. Their response displays an appalling lack of technical understanding.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
It's not just corporations, it's just average morons in a hurry
Several times I sent the link, an explanation and an excerpt from the file to the Florida attorney general's consumer affairs office. They never even responded.
So I removed most of the personal info but left just a part of the mailing addresses and area codes so that it was obvious the data was valid and I bcc'ed it to each of the e-mail addresses explaining to them that they had been suckered in by the spammer and that their personal and credit card info was now an unprotected file on the internet. I also provided the URL for the home page of the site (not the one to the files). It seemed like they'd want to lock their credit reports and replace their credit cards.
The only responses I ever got were people accusing *me* of stealing their personal information, and of being the scammer and telling me that they were going to get police and/or lawyers after me to find out who I was and where I lived.
Long way of saying I think the corporate reaction is just a reflection of the typical moron who works there - ready to lash out at whoever dares to expose their own idiocy/incompetence.
I monitored the file for many months afterwards and it remained up there. I kept sending copies to the FL AG but they didn't give a shit.
[ link to this | view in thread ]
Re: Re: If only...
Naive or not, what you just described in your post is the system we have right now.
The only thing I wanted to point out is how the company pays a simple minor fine for doing the wrong thing, and the individual trying to do the right thing ends up being threatened with and may end up doing prison time all due to the "letter of the law".
No good deed by an individual goes unpunished, and no bad deed by a company goes unrewarded.
[ link to this | view in thread ]
Re:
That's just not true. Just because the company and other white hats don't know about, it doesn't mean a black hat isn't aware and is using (or just not preparing to use) the information to exploit the users of the account.
[ link to this | view in thread ]
Wrong bill
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
It's the Markets (i.e. people, who comprise the markets) that should be regulating the companies.
If you notice, it's indeed the government that's being used against the customer in this case (e.g. laws in place that punish him for no reason)
In reality, the company should be completely liable for any and all bad things that happen from this horrible 'security'. No limits. That is how a market regulates itself - not by passing laws, but punishing a company if they are shitty, instead of using laws to shield themselves.
[ link to this | view in thread ]
At least their cops can realize that no crime has been committed and cease pursuit in a fairly expedient fashion.
Reports are that the CEO is backing down and wants to 'talk' to him now.
http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed- them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html#ixzz1bA54owoy
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: It's not just corporations, it's just average morons in a hurry
The book he wrote about his personal experience should be required reading for anyone who is in the computer security business, as it shows just how hard it is sometimes to get anyone to listen to the facts.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
Yeah, it's just too bad that that doesn't actually happen outside of certain kinds of markets (specifically, ones where there is a lot of competition without collusion.) Those kinds of markets can only persist with the assistance of regulation. Even Adam Smith acknowledged that unregulated capitalism is unstable and will always devolve into a monopoly market, and monopoly markets do not self-correct.
Unfortunately, appropriate business regulations have been increasingly absent over the past few decades and so such markets are growing increasingly scarce.
[ link to this | view in thread ]
The very first level was protected by JavaScript, with the user and pass stored in an external JavaScript file. I thought it was a joke, that nobody would be dumb enough to use something as insecure as that to protect something even mildly important, so I went on a hunt.
With the number of websites on the internet I didn't want to just start randomly searching, so I picked a bunch of local businesses or organizations. I opened a bunch of these sites and looked for a login area. After looking at the source code of the login page on most of them I assumed I was right, none of them used anything even close to as insecure as what I had been reading about. That was until one of the last ones, the local hospital.
They had a section called "Staff", with a login page. When I checked the code I saw some obvious JavaScript that was meant to check the entered username and password against some other values, values that were stored as JavaScript variables. So I went looking through the code, and had to take a second look, when they embedded their external JavaScript file they didn't give the file an extension, and they called it "JavaScript" I guess as a way to throw off anyone looking around.
So in the code there was src="JavaScript" instead of the usual src="somefile.js" which is easier to see.
I was a bit hesitant at first because I was expecting medical information or something. But I figured that if someone else found it they could do much worse than I would, because I wasn't doing anything except looking.
So I checked the JavaScript file and was even more surprised to find that there was only one login name and password, meaning that everyone that used it used the same account.
So I logged in and found that it was just a repository for all of the official hospital stationary and logos and stuff like that. Images, Word Documents, everything. There was nothing at all stopping me from downloading official letterhead, brochures, logos, or anything else I wanted to be able to create fake hospital documents.
I sent them an e-mail right away to let them know about it. I never heard one word from them, they didn't even acknowledge that they received my message. However, the very next day when I checked the login page again it was all changed and used some sort of PHP login system.
So it makes no sense to jump on the messenger in these cases, it just makes people less likely to report these kinds of issues to you, which could potentially cause way more trouble down the road. Just fix the problem and move on, no need to let the issue linger on.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Depressed Computers...
> liable to risk, loss, or danger
Yes, there's always some humorless fuck who doesn't get the joke.
Well done.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Depressed Computers...
[ link to this | view in thread ]
Re: publish all security flaws
[ link to this | view in thread ]
Re: Re: Re: Re:
and even if they had access control measures to circumvent, if I'm a customer of that company and that company holds my personal data, it is (or should be) my every right to attempt to find security vulnerabilities in the companies website that might expose my data. If I can hack the website, then others likely can just as well and I need to know about those vulnerabilities to make the company aware of them and have them corrected. No law should ever stand in my way because any law that does is a law that interferes with my ability to ensure that my data is well protected.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
response
[ link to this | view in thread ]
Re: Re: Depressed Computers...
Please don't respond to Grammar Nazi's with spelling errors, that brings in the Spelling Police thus making the problem even worse.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Australia's Superannuation Funds
[ link to this | view in thread ]
http://boingboing.net/2011/10/18/proposed-australian-law-makes-it-an-offense-to-insult-gam ing-minister-michael-obrien.html
One wonders how far removed from reality the "leaders" are.
[ link to this | view in thread ]
Fortunately, in today's world, something as complex as figuring out that you can change an URL falls under "advanced hacking".
[ link to this | view in thread ]
Re: Re:
Emphasis fail.
Think before you speak
[ link to this | view in thread ]
For the full Manifesto click the link
[ link to this | view in thread ]
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. (link folows here but hey, I thought it may not get out of review) Just fodder for the anti-mikes for "allowing" me to post it. LMFAO.
[ link to this | view in thread ]
http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-web site.html
[ link to this | view in thread ]
Disgusting
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
Global Warming will fix itself.... eventually.
It just needs to warm up enough to eliminate what causes the warming. That might be a lengthy drawn out process but it will work.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Guess what, this will still be a crime. You do know that this is not your home, and you do know that the account with +1 in its number is not yours, and by hitting "enter" you do have very clear expectation of what will happen if it works.
[ link to this | view in thread ]
Re: Bank Security
Note that there's a difference between merely noticing that the box is unlocked, and actually opening it and looking what's inside.
[ link to this | view in thread ]
Corporations in general and banks in particular are natural opponents, if not enemies, of the people; assuming that they will behave according to human values is simply plain wrong. Helping them on voluntary basis is as silly and dangerous as helping the police - in both cases, while the positive outcome is quite unlikely, but your putting yourself in danger is guaranteed.
[ link to this | view in thread ]
Re: Re:
Worse, it was the lowest bidder.
[ link to this | view in thread ]
Everything seems to me to be a fairly natural outcome from that, all because some technical manager is trying to save their arse.
[ link to this | view in thread ]
Re: Re: Re:
Or we could just all bury our heads in the sand and trust that companies are doing a good job of securing our personal data. Just keep in mind, when the bad guys find a hole like this one, they won't tell anybody.. at least not until they have stolen all of the data they want.
[ link to this | view in thread ]
Re: Re: Re: Re:
And if he indeed was a researcher, a white hat, he would know how to make it all legally, and to get paid by the same Pillar.
Hey, and thanks for the "idiot", that really invites the discussion.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
If the guy had bad intentions, he would have kept his mouth shut. He tried to do good, [i]perhaps[/i] using questionable methods, but he didn't actually STEAL anything as you try to imply with your analogy. When a vulnerability is found, the next step is to determine the scope. Maybe he should have left that part in the incapable hands of Pillar, but it just seems to me he was trying to gather as much information as possible to help them understand the issue.
[ link to this | view in thread ]
Re: Bank Security
Similarly, the real person could have tested just one access, or none at all and wrote an email or letter to the Bank CEO, manager and IT manager asking if this potential security flaw had been tested and was it safe. A reply might have told him, "yes we have checked it and it's OK" (although they probably would have said the same if it wasn't and they just fixed it). Either way the problem could have been resolved with no law broken. If they had not replied within a given time frame, perhaps then he could have checked one time to see if the flaw was there and wrote again. The first letter would probably cover him a bit better legally given that he tried to warn them and got no response.
Of course, it would be ridiculous to prosecute either hypothetical person or real person - having examined all the facts surrounding the situation and agreed that the actions were with good intention, but I would have no surprise really if the company wrote a letter warning him that what he did was illegal and against their terms; but it does surprise me that any punitive action was taken against him and I would be even more surprised if more action was taken. What should happen is the company hang its head in shame, wring a few necks internally, and count themselves lucky they didn't get caught out with worse.
But I fear, reading some responses, that what some "white-hat hacker" types are more afraid of is that their fun is being taken away from them. Listen: if no one invites you to test their security you have no business doing it - whatever your motive - so don't do it. If you don't agree that this is right and fair, fair enough, but comply with the written law if only just to protect yourself.
[ link to this | view in thread ]
Re: Depressed Computers...
Am I right?
[ link to this | view in thread ]
The act of accessing another customer's account was an action unauthorized explicitly by the terms and conditions of the bank and the law of the land, so that was the fault of Webster.
So while it was indeed "less pernicious" it was still not a permissible action. Technically, both were at fault but while the company were criminally negligent, Webster had only misguided good intentions. The company should be made an example of, not Webster.
[ link to this | view in thread ]
Most likely the white-hat hacker gets on with his real programming job and doesn't bother saying anything in future.
Think about it a bit before saying something like this again.
[ link to this | view in thread ]
The thing is, you didn't need to log in and access those private files to get the problem fixed, you could have just pointed out to the company their insecure use of JavaScript and explained why anyone could have easily logged in. No illegal, unauthorized access was necessary to prove this point or get the problem corrected.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: I've done that
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
That's essentially what makes you a hacker.
[ link to this | view in thread ]
http://publications.nsw.gov.au/pub/09b/026/09b026d57b923208598d2a928aad2f596adbb904/document .pdf
[ link to this | view in thread ]
Whats the bet
No wonder the CEO/board of directors of the company were pissed off....this filthy hacker/hippy just cost them their secret monthly bonus.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]