News
Young School Finalists Defined
The Young School competition is being held for the third time in a row. The goal of the contest is to support young and talented specialists in information security giving them the opportunity to present their reports at the Positive Hack Days forum. A range of topics is rather wide, from applied cryptography through to ICS and government information systems security. The competition is designed for students, postgraduates, and young scientists. Applications for participation in the contest were accepted during three months. The most outstanding reports were selected this week. Here's the list of the finalists (in the order of abstracts receiving): Maria Korosteleva and her report “Ensuring Cryptographically Strong Group Communications with the Feature of Deniability” Philipp Bourtyka and Alyna Trepacheva with a report “Secure Cloud Computations Using Steganography: Definitions and Challenges”, Nikolay Tkachenko presenting “General Model of Web Applications Protection Techniques Based on Hash Functions”, Yelena Doynikova reporting on “Dynamic Assessment of Computer Networks Security in SIEM Systems”. One of them will be the winner. The list of out-of-competition participants will include Alexander Puzankov presenting his report with an intriguing name “Tough Time” and Maxim Kobilev, who will tell how to use a quadrocopter as a pentest tool. Young researchers will present their reports at Positive Hack Days IV. Congratulations! The program committee This year, the program committee included: Denis Gamayunov, MSU Faculty of Computational Mathematics and Cybernetics Alexey Kachalin, Advanced Monitoring Vladimir Ivanov, Yandex Evgeny Rodionov, MEPhI Peter Volkov, Yandex Dmitry Oleksyuk, an independent developer Alexey Smirnov, Parallels Igor Kotenko, SPIIRAS Nikita Abdullin, OpenWay Alexandra Dmitrienko, Technical University of Darmstadt Pavel Laskov, University of Tübingen Ekaterina Rudina, Kaspersky Lab Evgeny Tumoyan, the South Russian Regional Scientific Center of SFedU Andrey Petukhov, the chairman of the program committee, told us about the Young School final: “Sporting competitions may be played with a final four, which gives prestige to its participants. Such type of final builds up and increases the suspense during a contest. Young School holds its intrigue as well. First of all, Denis Kolegov and Nikolay Tkachenko, who took third place in the last year's competition, now are among the finalists. The list of finalists also includes representatives of the Laboratory of Computer Security Problems of SPIIRAS. And we know that last year, second place was awarded to a report received from the laboratory. Another finalist, Maria Korosteleva, a student of the Faculty of Computational Mathematics and Cybernetics of MSU, will try to match the success of the very first Young School competition winner, Anastasiya Scherbinina from the same faculty. Besides, it would be interesting to see how the newcomers, Philipp and Alyna from SFedU, will compete with the rest, more experienced participants.” Positive Hack Days IV will be held on May 21 and 22 in Moscow. You can register and visit the forum to see how the future of Russian science is created.
PHDays IV Competitive Program
There is little time left before the beginning of PHDays. The CTF finalists are already determined, we develop the conference program (see part 1 and 2) and prepare PHDaуs Everywhere activities. Surely, not only exciting talks and hands-on labs, but also awesome contests are waiting for the visitors! A bit of history Traditionally, at Positive Hack Days the main focus is on practical contests, which allow attendees to demonstrate their skills in hacking and protection. Last time the PHDays contestants tried to protect the industrial control system of a miniature railroad model, practiced lockpicking, searched for breaches in a specially crafted Internet banking system and “stole” money right from an ATM. The hit of the show was the hacking labyrinth, full of laser motion sensors, imitators of covert listening devices and other cool stuff. Only at PHDays can you experience these and other adventures (such as analyzing network security or reverse engineering). Check out the contests below, prepared this time for white hats from all over the world. Challenges at the Venue Please note that you will need a laptop to participate in the majority of the contests. Critical Infrastructure Attacks (CIА) The challenge of analyzing security of real ICS systems controlling a railway model (Choo Choo Pwn) was a real specialty of PHDays III. Afterwards, its organizers had a real rock-star experience touring from one security conference to another around the world (see reports on Seoul and Hamburg).
A Surprise Performance at PHDays
Since the topics to be discussed at Positive Hack Days IV are far beyond just technical issues, there's a surprise in store for participants of the forum. The creators of the project Model Dlya Sborki (or MDS, lit. “a model kit”) will present live audio performance at the Digital October Center on May 21 (from 7 pm till 10:30 pm). The history of the radio show goes back to 1995, when it first appeared on the air of Station 106.8 FM. Many listeners encountered MDS thanks to Silver Rain Radio, which aired the program from 2002 to 2004. In 2012, MDS received the Golden Podcast award at Russian Internet Week. The audio show is created under the direction of Vlad Kopp, the leader and the voice of the project. MDS is a symbiosis of literature and music. It involves reading of Russian and foreign classic and contemporary works (mainly science fiction) with the accompaniment of electronic music. We hope that you will enjoy the performance; it will consider the technological revolution and its consequences, which people might face in the nearest future.
How to Hack Gmail and WordPress and Spy through TV
Hacking emails of authoritative users is usually accompanied by debates about the identity of such email correspondence that became available on the Internet. Until now, we thought that a correct DKIM signature indicates at the author of the correspondence containing this signature. But can we trust this authentication mechanism? Vulnerabilities in Google, Yandex and Mail.Ru will be discussed at the international information security forum Positive Hack Days IV, which will be held on May 21 and 22 in Moscow. Secure protocols are used insecurely The number of Google, Yandex and Mail.Ru users approaches one billion; hundreds of experts from all over the world are involved in security analysis of these services. However, no one is secured against vulnerabilities. Vladimir Dubrovin (3APA3A), the founder of SecurityVulns and developer of the 3proxy server, one of the most outstanding representatives of the Russian old school, will speak on the misuse of both well-known (SSL/TLS and Onion Routing) and recent protocols insuring privacy, integrity and data encryption. Vladimir will also present new attack vectors aimed at accessing data that are processed by various services, including email. A smart spy in your house At the beginning TV were just supposed to be TV. They were used to make people's life happier. Nowadays, TV are fully-featured PC, having a proper OS, camera, microphone, web browser, and applications. They still make people happy. Especially the malicious ones. Donato Ferrante and Luigi Auriemma , the founders of ReVuln, known for discovering vulnerabilities in SCADA and multiplayer games, will speak on the current status of Smart TV, exploring their attack surface, detailing possible areas of interest, and demonstrating some issues the speakers found while assessing the security of Smart TV from different vendors. ARM exploitation Participants of Aseem Jakhar's workshop will take their laptops and plunge into security issues of ARM. Aseem Jakhar is a researcher at Payatu Technologies and one of the founders of Nullcon. He will consider low-level programming starting right from the ARM assembly, shellcoding, buffer overflows, reverse engineering to сode injection. The workshop has a lot of hands-on to get the participants comfortable with ARM assembly and understand the issues involved in exploitation of ARM-based Linux systems. To make the workshop more interesting, it uses Android as the platform for learning ARM exploitation and hence it covers Android OS specific developing and security concepts. How to bug a conversation held on the other side of the planet Lately, phone communications records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. Many of us received weird text messages and, after that, long bills for mobile services. Sergey Puzankov, an expert at Positive Technologies specializing in mobile networks safety, will consider the possibilities of an intruder who has access to SS7. The author will speak about algorithms of attacks aimed at: disclosure of subscriber’s sensitive data and his or her location, changing dialing numbers of enabled services, call redirection, unauthorized intrusion into communication channel. Attacks are performed using recorded signaling messages. The research also consider proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network. Moloch the investigator Thousands of years ago, people made human sacrifice to Moloch, an ancient god. The report about Moloch as a highly scalable and open source full packet capture system does not contain such bloodthirsty elements (intruders might think otherwise). The system can capture from the wire live for use as a network forensics tool to investigate compromises. It also serves as a great way for searching and interacting with large PCAP repositories for research (malware traffic, exploit/scanning traffic) Its web API also makes it extremely easy to integrate with existing SEIM’s or other alerting tools/consoles to help speed up analysis. Andy Wick and Eoin Miller are members of AOL’s Computer Emergency Response Team. The hands/on lab will be focused on how AOL uses Moloch combined with IDS systems (Suricata/Snort) feeding alerting into consoles/SEIM’s (Sguil/ArcSight) to help defend their employees, users and the Internet at large. The experts will also run Moloch to capture the traffic that is occurring during PHDays CTF and analyze all the incidents. Industrial cybersecurity and critical infrastructure protection in Europe The events that have taken place during the last years (from 9/11 attacks to WikiLeaks and the Stuxnet malware) have made the governments to include in their agendas the development of national cybersecurity strategies to protect their critical infrastructures. Ignacio Paredes, Studies and Research Manager at the Industrial Cybersecurity Center in Spain, says that hundreds of thousands of industrial infrastructures across Europe are at stake. The report will consider the relation between industrial and corporate environments and its impact in key organizations for the survival of a country as well as current trends in the convergence between industrial and corporate systems, threats and countermeasures. WordPress security With approximately 19% of the web running on WordPress, it comes as no surprise that the security of this content management system has an enormous impact on a large number of users. Despite being open source, and reviewed by security researchers, WordPress is—just as any other software—prone to errors and vulnerabilities. Tom Van Goethem, a PhD student at KU Leuven (Belgium), will tell PHDays IV participants how the unexpected behavior of MySQL led to the discovery of a PHP Object Injection vulnerability in the WordPress core. The author will also demonstrate how this vulnerability can be exploited. The first group speakers is listed on the official site. If you want to present your report at the international information security forum, you must hurry up, because you can submit your application till March 31. Anyways, there are other ways to join PHDays IV.
Discount PHDays IV Tickets are Available till March 16
We have great news! You can get tickets to the PHDays IV forum at the Early Birds discount until March 16, 2014. The special prices are 9,770 rubles per two days and 7,470 rubles per day. After March 17, the price for a ticket will increase up to 13,870 rubles per two days and 9,770 rubles per day. Don't forget there is a chance to win a free pass to the forum. You can compose an interesting report on information security till March 31, 2014, and become a speaker at the forum. Moreover, anyone is able to win an invitation during various competitions (check our news on the official website), or to organize his or her own PHDays. Find the details about participating in PHDays IV on the forum's website.
PHDays IV Topics
How can you create a virus or a botnet for AndroidWhat else do you get when you buy a hard disk drive at an eBay auction? What threats surround a SIM card owner?How can you get one-time password tokens? Get answers to these questions and more at Positive Hack Days IV, the international information security event. The final stage of Call For Papers started on February 17 and lasts until March 31The first group of speakers for the technical program of PHDays IV has been selected. Abstracts of their papers are presented below Cyberweapon Against Mobile Networks Mobile networks should protect users on several fronts: calls need to be encrypted, customer data protected, and SIM cards shielded from malware. Many networks are still reluctant to implement appropriate protection measures in legacy systems, but even those who add mitigations often fail to fully capture attacks because they target symptoms instead of solving the core issue. Karsten Nohl will consider mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution. Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them. Android Exploitation Being the leader among mobile platform vendors, Google is now also known for vulnerabilities in Android. Trojans attack millions of users. Malware programs send messages to short numbers, steal money from credit cards and personal data and conduct hidden camera spying. After the 4-hour hands-on lab, participants will find out more about the development of malware programs for Android and take part in Android exploitation. The hands-on lab will be held by Aditya Gupta, the founder of Attify and a community member of Null (The Open Security Community in India). He will cover topics such as reversing and analyzing Android malware, auditing applications with manual and automated testing, going in-depth into Dex and Smali file manipulation, Webkit based exploitation and finally ARM exploitation for mobile devices. Give Me Your Data! We hear news stories every day about malicious hackers compromising the sensitive data of corporations, governments and individuals. But that is only half of the story. You don't have to be a hardcore hacker to get sensitive information. Dave Chronister will present his report “Give Me Your Data!” to show that even today data is still not stored securely. He will not hack any systems during the experiment; all data will be collected legally. From purchasing devices on Facebook and bidding for Hard Drives on EBay, to monitoring public file sharing sites, and anonymously accessible servers, Chronister will unveil methods to retrieve information and show his findings—which are very surprising. Dave Chronister is the founder and managing technology partner of Parameter Security. Growing up in the wild world of 1980’s BBSes and early Internet, Chronister obtained a unique, firsthand look at the mind, motives and methodologies of hackers. Chronister has provided ethical hacking services, auditing, forensics and training to clients world-wide. Chronister’s expertise has been featured in the media including CNN, CNBC, CNN Headline News, ABC World News Tonight, Bloomberg TV, CBS, FOX Business News, Computer World, Popular Science, and Information Security Magazine. Breaking One-Time Password Tokens Side-channel analysis (SCA) is a powerful tool to extract cryptographic secrets by observing physical properties (power consumption, EM, etc.). David Oswald will present an intro to SCA and related methods and then demonstrate the practical relevance of SCA with two case studies: how SCA can be used to circumvent the IP protection (bitstream encryption) of FPGAs, and, in a similar way, how AES keys of one-time password tokens can be extracted, allowing an attacker to steal digital identities. David Oswald received his PhD in IT-Security in 2013 and is currently working as the Chair for Embedded Security, Ruhr-University Bochum. He is also co-founder of Kasper & Oswald GmbH. In the Middle of Printers Big corporations and financial institutions need secure pull printing services which guarantee proper encryption, data access control and accountability. This research is aimed at performing a man-in-the- middle (MITM) attack on multifunction printers with embedded software from the most popular vendors. The results are staggering. Similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense. Jakub Kaluzny, the author of the report, is an IT security specialist at SecuRing. He performs penetration testing, vulnerability assessments and threat modelling of web applications and network environments. He was inducted into the Google Security Hall Of Fame in 2013. Vulnerabilities in Business Logic Business logic vulnerabilities are the least studied and are usually ignored by researchers and pentesters. The situation is caused from the lack of automated detection and exploitation tools and testing practices, as well as from the absence of a clear theoretical foundation which would make the categorization process easier. However, considering the goal of business application analysis, business logic vulnerabilities should be the priority for pentesters, since logical attacks may lead to such outcomes that can be compared to remote arbitrary code execution consequences. Vladimir Kochetkov will speak on theoretical issues of business applications that are basic to logical attacks. His report also covers partial domain logic modeling that allows defining potential vulnerabilities and possible attack vectors. Several real-life application business logic vulnerabilities will be analyzed as examples of the practical use of this technique. Vladimir Kochetkov is an expert of the Positive Research Center (Positive Technologies). He focuses on security analysis of web-application source code and the theoretical side of information systems security. He also participates in the SCADA Strangelove project and is one of the developers of Positive Technologies Application Inspector. He contributes a lot to open code projects, such as rsdn.ru. Stay Cool People often become rash and chaotic during an IS incident and can destroy crucial evidence. The 4-hour hands-on lab “How to react to IS incidents: Investigation of a cyber-attack” focuses on a practical approach to incident investigation and learning how to act quickly and calmly to collect evidence, to analyze system logs, memory and disks, and to search for traces of a cybercrime. Participants will be provided with special instructional material and virtual machines, and will be offered several effective strategies to respond to simulated incidents. The hands-on lab will be held by Alexander Sverdlov, an IT security officer at ProCredit Bank Bulgaria. It is not the first time that Alexander will present his work at PHDays. Last year he conducted a hands-on lab on cyber forensics. Intercepter-NG: The New Generation Sniffer The report focuses on the Intercepter-NG toolkit. Today it is the most progressive multifunctional tool for a pentester. Ironically, it is more popular outside of Russia. The author will give an overview of the tool's features and will discuss several examples of attack execution. Examples include: MySQL LOAD DATA LOCAL injection recently presented at Сhaos Сonstructions, and DNS over ICMP, a little-known but powerful attack. The report will be presented by Alexander Dmitrenko, Head of Training Department at PentestIT. He regularly writes articles for the Habrahabr tech blog and Hacker Magazine. Alexander will be assisted by Ares, an expert at PentestIT and the developer of Intercepter-NG. Side Channel Analysis: Practice and a Bit of Theory This topic is not often addressed in hacker conferences, so this time at PHDays we will consider two points of view. Besides David Oswald, Ilya Kizhvatov will present research on Side Channel Attacks. The speaker will introduce the conference community to side channels, present an overview, and explain the state of the art in the this area, giving practical examples. Participants will be able to understand if a particular device is falling under the threat of a side channel attack, how to protect it, and maybe become motivated to play around with side channel analysis just for fun. Ilya Kizhvatov is a senior security analyst at Riscure (Delft, Netherlands). He has 6 years of experience (half academic, half industry) in embedded security, with a focus on side channel and fault attacks on cryptographic implementations. Nothing Happens by Chance... or Does It? A sequence of random numbers is widely used by protection systems of modern applications (encryptions keys, session IDs, captcha, passwords). Resistance of such systems depends heavily on the quality of a random number generator. Mikhail Egorov and Sergey Soldatov will discuss vulnerabilities in Java applications that use pseudo-random number generators. Besides successful attack scenarios, the authors will demonstrate a tool that allows getting an internal state of a generator (a seed), as well as preceding and subsequent values. Participants will also learn how they could use the tool to attack real-life Java applications. Mikhail Egorov is an independent researcher and programmer (Java, Python). He specializes in fuzzing, reverse engineering, web application and network security. Sergey Soldatov is an independent security practitioner with more than 10 years of network security experience and has been involved in large ISP related development projects. Learning How to Reverse Engineer OS X Drivers Properly MacBook and Mac are commonly believed to be more secure than computers operated by Windows. However, recent sensational incidents such as free access to built-in iSight cameras speak for themselves. Egor Fedoseev will discuss analysis methods of OS X drivers, related challenges and ways to minimize efforts. His report “Reverse engineering of OS X drivers” also covers Mac driver features, existing problems of reverse engineering in IDA and possible ways to solve them. The research is interesting for analysts and OS X security specialists. Egor Fedoseev works for the Ural Federal University (Ekaterinburg, Russia). He is the leader of the student group “Hackerdrome” which was founded in 2005 by the Department of Mathematics and Mechanics of the university. Egor Fedoseev has been into reverse engineering since 2004. Remember, you can apply until March 31 for an opportunity to present your research at Positive Hack Days IV in front of thousands of leading experts in information security. There are other ways to join the forum, too. Presentations that will take place at the forum on May 21 and 22 will be listed on the event's official web-site in April 2014.
Only Two Weeks Left to Apply for PHDays Young School
Due to popular demand we have decided to extend the application deadline for the information security competition of young scientists. Applications for participation in PHDays IV Young School will now be accepted until March 1, 2014 (23:59 UTC). This the third year for Young School, but the first time, scientists from outside Russia are invited to participate – making it truly an international contest. The competition is designed for students, postgraduates, and young scientists who conducted studies based on various topics. This year’s topics of interest include: Hackers' new targets: from audio baby monitors and pacemakers through to nuclear power plants Privacy and trade secrets protection in the days of PRISM, Snowden and Assange Computer forensics against targeted APT attacks and cyber spying Fresh approach to intrusion detection and prevention Methods of struggle against DDoS attacks ERP systems and business applications security Business data protection (BYOD, MDM, DLP) Counteracting attacks against web applications Protecting virtual corporate and private clouds Applied cryptography Security of government information systems and E-government Techniques and tools for physical security Protection of ICS/SCADA: securing industrial systems and modern cities Finalists will be invited to present their reports at Positive Hack Days IV. The forum's organizers will cover flight costs and help to find accommodations for authors of selected works. Take the opportunity to tell the world about your research and join the competition! Please be sure to read the participation rules and send your application to youngschool@phdays.com by March 1, 2014.
Hackers from All Over the World Competed to Join PHDays IV CTF
PHDays CTF Quals, an information security competition, took place from 12 p.m. on January 25 to 12 p.m. on January 27, with teams competing for the entire 48 hours. Dragon Sector, a Polish team, won the contest, though quite unexpectedly, PPP, from the USA, took second place and More Smoked Leet Chicken, from Russia, came in third.
PHDays CTF Quals Rules
There is not much time left until PHDays IV CTF Quals, and it's time to reveal the rules and game mechanics. First of all, the new mechanics are all meant to bring some additional fun to CTF. The game is balanced in such a way that you receive most of the points (more than 90%) for solving the tasks. So you still have to be the best hackers to make it to the top. However, for those who wish to get the full game experience, we prepared the Quest part of the contest: basically, you will have to find some information on the Internet and submit it to the jury system by answering some questions. The Quest legend continues the storyline featured at PHDays III CTF Finals. You will play as the members of the GOLEM task force, investigating the Detcelfer incident. Solving the Quest does not directly affect your CTF rating position. However, you will have to pass at least some of the Quest challenges. Here is how it works. The Quest consists of several questions you have to answer. Each answered question will give you some cluepoints. You can spend cluepoints to open a new task for your team. Tasks are just normal CTF tasks which you probably got used to. The number of cluepoints that you should spend to open a task depends on task difficulty, each answered question will give you enough cluepoints to open up to 2 tasks. Solving a task brings you points (the exact amount also depends on task difficulty), which directly affect your rating position. The maximum number of cluepoints you can get in the Quest is much bigger than the number needed to open all tasks. However, there is a possibility to convert cluepoints directly to points (at some exchange rate). So you can get additional points by answering more questions. Moreover, if you complete the Quest (i.e. answer all questions), you will get a bonus (in points). Of course, the game is balanced in a way that opening and solving a task will bring you much more profit than just selling cluepoints. On the other hand, you may choose not to open tasks that you probably won't solve. Here are some numbers to illustrate the game balance: Reward for solving a task: 1000–4000 points Maximum possible profit for selling all cluepoints (without opening any tasks): 6000 points Price of opening all tasks: 50% of all cluepoints Reward for completing the Quest: 2000 points We added the Quest as an experiment, so we tried to make it easy-to-solve. We just hope this will help you get involved in the legend and have more fun from the CTF process. Anyway, your feedback is highly appreciated! General Points Teams that scored the largest number of points qualify for the Finals. During the qualifying stage, each team may include any number of participants. During the game, the teams are prohibited from: Generating unreasonably high volume of traffic threatening the game infrastructure (of the jury or other teams) Conducting attacks outside the game network Attacking the jury’s computers Conducting destructive attacks against the task servers (such as rm-rf/) Performing the above actions in the guise of a rival team Exploiting vulnerabilities of the scoring system to gain undeserved points A team may be penalized or disqualified for a foul. Note The jury reserves the right to modify the rules at any time before the game begins. PHDays CTF Quals will be held on January 25 and 26, 2014. Teams that demonstrate the best results will advance to the finals to compete against the female team SecurityFirst from Soonchunhyang University of Asan, South Korea, which won the CTF contest held during Power of Community in Seoul. To plunge into the hacking contests of CTF Quals, you just need to build a team and >register. So do it!
Want to Join PHDays IV CTF? Take Part in CTF Quals!
PHDays IV is coming! Tickets for the forum are available, Call for Papers is in progress, acceptance of reports for the Young School competition has started. And don’t forget CFT! The finals of our CTF international information security contest take place at the PHDays IV forum on May 21 and 22, 2014, and the road to the finals starts with CTF Quals. Participation Rules PHDays CTF Quals will be held on January 25 and 26, 2014. Teams that demonstrate the best results will advance to the finals to compete against the female team SecurityFirst from Soonchunhyang University of Asan, South Korea, which won the CTF contest held during Power of Community in Seoul. Participants of CTF Quals will face various challenges that require a deep knowledge of modern technologies and practical skills to solve. Quals raise the level of difficulty for participants to reach the final and create intrigue, competition and fun. Plot To add a special appeal to PHDays CTF, the plot develops according to a legend. Participants of Positive Hack Days III were heroes who tried to save the poor people of D’Errorim from horrid monsters. At the end of the game, they realized their efforts were only the first step and from that moment they had to save their own world. The new CTF Quals continue this plotline. Battle Last year, 493 teams from more than 30 countries fought each other, and 154 teams solved at least one task. With PHDays technical specialists inventing challenges the world has not yet seen, the approaching battle promises to be even harder. Participants face a unique infrastructure, fascinating legend, uncommon tasks and extreme difficulty, all combining to create an unforgettable experience. CTF finalists have an opportunity to compete with the best hackers from every corner of the world. Register To plunge into the hacking contests of CTF Quals, you just need to build a team and register. So do it! P. S. Check out the movie we made about preparing for and holding the PHDays III event and hacking competitions. It contains interviews with the CTF winners: Eindbazen from the Netherlands (1st place) and PPP from the USA (2nd place) and one of its members, a well-known hacker, George Hotz (geohot). (CTF content starts at 29:00, but watch the whole thing ‘cause it rocks!)