I’ve sporadically been losing emails recently. It turns out this is due to two things.

1. I changed ISPs and now have a dynamic IP that is in several blacklists.
2. I’ve been sending emails with the string “configure.ac” in them and this is in several URI blacklists.

Mostly this means I don’t receive my own emails, but sometimes the IP thing seems to catch emails on their way to me from someone else. I do have to wonder who else is not getting my emails though 🙁

OK, so “dying gasp” is a bit melodramatic. But email seems to become increasingly unreliable. Unless you’re expecting email and will thus miss it when it doesn’t arrive how do you know you’ve missed the unexpected? There’s no way of knowing whether you’re getting all you should be, or others are getting all you’re sending! More and more I use IM and websites for communication, and email becomes an “on the record” and “just a sec, I’ll email you the file” medium.

The listed IP thing is only going to happen to geeks who have local mail relays. I use a local mail relay for work email, so it is kind of important. I guess I’ll have to configure the local MX to not add a received header.

The “configure.ac” thing is just a PITA.

Seeing more of those emails that try to hurt Kaspersky’s feelings. An interesting note about them. If you download with an IE useragent string you get something different that what you get with a Firefox useragent string. If the UA string isn’t FF or IE you get simple HTML with just the link to the exploit .exe file. The obvious difference between the FF and IE versions is that the FF version of the code doesn’t insult Kaspersky.

Beyond that the FF and IE have very different payloads attached. The IE payloads I see now are very similar to the weekend’s, some minor differences that seem to mainly revolve around the different IP address. The decoded script contains a variety of nastiness, including downloading “file.php” which is another PE executable, yet another version of Zhelatin/Nuwar/Storm. This site’s version of video.exe is labor.exe (Labor Day in US). Both PEs are detected as Zhelatin vars by KAV. KAV catches the IE version of the web script, but not the FF version. Overall scan results are pretty average (heh, these guys probably use sites like virustotal.com to test their damn malware).

   File             | Caught By | As %
--------------------+-----------+--------
IE Script           |   6/31    | 19.36% 
IE Script (decoded) |  15/32    | 46.88% 
FF Script           |   7/31    | 22.59% 
FF Script (decoded) |  12/32    | 37.50% 
labor.exe           |  16/32    | 50.00% 
file.php            |  12/32    | 37.50% 

(The /31 entries are where the Prevx1 scanner wasn’t included for some unexplained reason.)

The FireFox post-xor payload is much shorter than the IE version. It seems to contain just a couple of simpler exploits. One of which is for Windows Media Player plugin EMBED bug MS06-006. The other looks like something intended to do some stack smashing in the FF javascript engine.

Also worth noting, each time you download you get a script that has used a different value for the xor key (well, probably random rather than specifically different). Both versions have the same obvious xor decrypt though. Getting closer to some difficult form of polymorphism?

Seen only a couple of IPs hosting this creature so far. In both cases they’re RoadRunner owned IPs in the US.

Finally, here’s a coverage summary from a script that processes virustotal.com results. This data is by no means a meaningful representation of anything at all. Top points to Webwasher, although AFAIK they uses multiple AV engines. I’ve never even heard of half these scanners outside of virustotal.com scans.

                                 FF-dec FF IE-dec IE file.php labor.exe  COVERAGE
Webwasher-Gateway (2007.09.03):       Y  Y      Y  Y        Y         Y     100%
              AVG (2007.09.03):       x  Y      Y  Y        Y         Y      83%
          AntiVir (2007.09.03):       Y  x      Y  x        Y         Y      66%
      VirusBuster (2007.09.03):       x  x      Y  Y        Y         Y      66%
        Kaspersky (2007.09.03):       x  Y      Y  x        Y         Y      66%
           McAfee (2007.09.03):       Y  Y      Y  Y        x         x      66%
         F-Secure (2007.09.03):       Y  Y      Y  x        x         Y      66%
         Symantec (2007.09.03):       Y  x      Y  x        Y         Y      66%
      BitDefender (2007.09.03):       Y  x      Y  x        Y         Y      66%
       eTrust-Vet (2007.09.03):       Y  x      Y  x        x         Y      50%
        Microsoft (2007.09.03):       x  x      Y  Y        x         Y      50%
            eSafe (2007.09.03):       x  Y      x  Y        x         Y      50%
           Sophos (2007.09.03):       Y  x      x  x        Y         Y      50%
           Rising (2007.09.03):       Y  x      Y  x        x         x      33%
            Ewido (2007.09.03):       x  Y      Y  x        x         x      33%
    CAT-QuickHeal (2007.09.03):       x  x      x  x        Y         Y      33%
            DrWeb (2007.09.03):       x  x      x  x        Y         Y      33%
          Sunbelt (2007.08.31):       x  x      x  x        Y         Y      33%
           Norman (2007.09.03):       Y  x      x  x        x         Y      33%
           Ikarus (2007.09.03):       Y  x      x  x        x         x      16%
            Panda (2007.09.03):       x  x      x  x        Y         x      16%
       Authentium (2007.09.02):       x  x      Y  x        x         x      16%
            VBA32 (2007.09.03):       Y  x      x  x        x         x      16%
           F-Prot (2007.09.02):       x  x      Y  x        x         x      16%
            Avast (2007.09.03):       x  x      x  x        x         x       0%
        AhnLab-V3 (2007.09.03):       x  x      x  x        x         x       0%
          NOD32v2 (2007.09.03):       x  x      x  x        x         x       0%
      FileAdvisor (2007.09.03):       x  x      x  x        x         x       0%
         Fortinet (2007.09.03):       x  x      x  x        x         x       0%
           Prevx1 (2007.09.03):       x  O      x  O        x         x       0%
           ClamAV (2007.09.03):       x  x      x  x        x         x       0%
        TheHacker (2007.09.02):       x  x      x  x        x         x       0%

[[[FYI I’m a big fan of using different AV scanners. I.e. use one product on your desktop, another on your mail server, and yet another at the gateway. I have a leaning towards McAfee and KAV, in the rather unrepresentative example above they make a perfect combination. 😉 It’s a bit expensive though, and you’re not going to get any “seamless integration” this way. Could be some call for a meta-AV company. The meta-AV company creates a UTM, remote desktop management system, and messaging (mail, etc) server scan interface with one unified management system. What would make it different from the alternatives I’ve seen around is that rather than being single-vendor based the aim would be to allow different AV products to plug in to each location.

Another semi-related thought is that you could have a system where a business has n different AV products installed across it’s desktop systems. Most employee desktops do stuff-all with their mega-cpu-power, so let’s put it to some good use. What you get is a “farm” of AV engines that your email/proxy infrastructure can call out to for scanning. To make it even more distributed you could have employee mail clients and web browsers pulling their traffic through their peers in such a way that each peer links through a peer with a different AV product. It’s a bit rough around the edges. Can you trust a desktop platform to do the job of secure proxy server? What about the added latency, is it significant? AV scanning tends to be slow.]]]

Seeing more and more of these spammed attempts to get people to self-infect. Most recently I passed over one that looked much like one described by the AVERT blog a short while ago. A very simple email with the line:

Dude I know thats you, someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v=iVyfrel8jIt

The bit that seems to be a YouTube link is actually wrapped in an anchor tag linking to an IP address (not reproduced above). Not YouTube! Duh! (It’s rather disappointing that the YouTube URL actually doesn’t show some amusing video.)

If you hit the site you get a nice HTML page that tells you your video will be ready in 15 seconds. Meanwhile it tries to break your web browser, as recently described on the Kaspersky blog. In fact I think the author of this malware might read the KAV blog too, from the script code:

function kaspersky(suck,dick){}; function kaspersky2(suck_dick,again){};

Ouch! Getting personal in malware code!

As an added bonus the page includes:

If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run.

Sure, “press Run”? But how many people will this sucker? Too many I’m afraid.

ClamAV tells me that the HTML page is “JS.XorCrypt” (some sort of generic signature I assume) and that the video.exe file linked to is “Trojan.Small-3273”. McAfee and Kaspersky both catch both files too, “Nuwar” and “Zhelatin” respectively for video.exe… no surprises there. I guess the author is right to be annoyed at Kaspersky, it catches their malware! Ha! (On VirusTotal.com 46.88% of 32 scanners detect the HTML file and 78.13% detect the executable – detected malware names vary greatly.)

Examining the code in these things is often fun. In this example the HTML page contains the (reformatted) code:

function xor_str(plain_str, xor_key)
{   var xored_str = "";
    for (var i = 0 ; i < plain_str.length; ++i)
    xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); 
    return xored_str;
} 
function kaspersky(suck,dick){}; 
function kaspersky2(suck_dick,again){};
var plain_str = <<OBFUSCATED_STRING_HERE>>
var xored_str = xor_str(plain_str, 20);
eval(xored_str);

Given a couple of minutes I can translate this to:

#!/usr/bin/perl -w
use strict;
sub xor_str
{
    my ($plain_str, $xor_key) = @_;
    my $xored_str = "";
    for my $chr (split //, $plain_str)
    {
        $xored_str .= chr($xor_key ^ ord($chr));
    }
    return $xored_str;
}
my $plain_str = <<OBFUSCATED_STRING_HERE>>
my $xored_str = xor_str($plain_str, 20);
print $xored_str;

I don’t really have time to dig deeper (it’s 03:31 right now!), but here’s the list of functions grepped out of the decoded exploit code.

h() {mm=mm; setTimeout("h()", 2000);}
getb(b, bSize)
cf()
startWinZip(object)
startWVF()
elea(){
yah()
startOverflow(num)
GetRandString(len)
CreateObject(CLSID, name) {
XMLHttpDownload(xml, url) {
ADOBDStreamSave(o, name, data) {
ShellExecute(exec, name, type) {
MDAC() {
start() {

A final note. The virustotal.com result for the decoded payload gives a 46.88% (15/32) detection rate. What is interesting is that the detections are by a very different set of AV products and identified by a very different set of names! Only 7 engines detected both the encoded and decoded forms. Of these seven only one gave them the same name, but this was the rather uninspiring “Downloader” from Symantec. I kind of expected that at least one product would be able to perform the decode and identify the payload (although if you can detect prior to doing this you save CPU time, so doing the decode isn’t necessarily desirable).

All in all I think it is rather sad that malware this lame will probably do it’s intended job and net a few more netizens for the botnet empire.

Fun’n’games.

Malware seems to be getting more straightforward these days, from a short while ago:

We are looking for Consumer opinions of our new software Digital Kittens

This beta testing will enable us to fine tune the software for public
release. For helping out, you will receive a free edition and 5 years of
updates.

1: Download the software  2: Try it  3: Tell us what you think If you
want to participate, just follow the link to our download site:
http://7w.2xx.2y.1zz/setup.exe

Who wouldn’t want free digital kittens?! You can play with beta kittens, help some company out, and get years of free digital kittens as a reward. How do you fight that wetware exploitation? “Don’t accept kittens from strangers.”? I have trouble getting over the point of view that “it’s damn obvious that you don’t execute unsolicited .exe files”, but the fact is this still seems to only be obvious to a minority of computer users. Got to have that AV installed! It’ll give you some protection, though probably wont be much use if you’re in the first wave of recipients of a properly engineered piece of malware that’s been tested against the AV engines.

VirusTotal.com tells me (with engines that failed to do the job edited out):

AhnLab-V3           Win32/Zhelatin.worm.140367
AntiVir             WORM/Zhelatin.Gen
Authentium          Possibly a new variant of W32/Fathom.3-based!Maximus
Avast               Win32:Tibs-BFG
AVG                 Downloader.Tibs.7.X
BitDefender         Trojan.Peed.IGS
CAT-QuickHeal       (Suspicious) - DNAScan
ClamAV              Trojan.Small-3637
DrWeb               Trojan.Packed.142
eSafe               Win32.Zhelatin.hq
eTrust-Vet          Win32/Sintun.AE
Ewido               Worm.Zhelatin.hq
Fortinet            W32/Tibs.GN@mm
F-Prot              W32/Fathom.3-based!Maximus
F-Secure            Email-Worm.Win32.Zhelatin.hs
Ikarus              Email-Worm.Win32.Zhelatin.hq
Kaspersky           Email-Worm.Win32.Zhelatin.hs
McAfee              Tibs-Packed
Microsoft           Trojan:Win32/Tibs.DV
NOD32v2             Win32/Nuwar.Gen
Norman              W32/Tibs.ASFB
Panda               W32/Nurech.AU.worm
Sophos              Mal/Dorf-E
Sunbelt             VIPRE.Suspicious
Symantec            Trojan.Packed.13
TheHacker           W32/Zhelatin.genw
VirusBuster         Trojan.Tibs.Gen!Pac.132
Webwasher-Gateway   Worm.Zhelatin.Gen

This kitten is diseased. Time to back over it’s poor little head with a car.

A friend of mine was recently asked to jot down a C++ singleton implementation in a job interview, ah the venerable singleton. I guess we’ve all used it sometime or another, possibly trying to fit it into our designs just because it is cool.

Anyway, this dude is positively allergic to anything that looks inefficient. However, since threads are still considered cool locks become necessary, and locks are slow! So a seemingly common enhancement of the singleton is the “Double-Checked Locking Pattern”. This has the dual goals of supporting threaded client code safely and making optimisation junkies happy.

Singleton* Singleton::instance() 
{
    if (pInstance == 0) 
    {
        Lock lock;
        if (pInstance == 0) 
        {
            pInstance = new Singleton;
        }
    }
    return pInstance;
}

[[copied from the paper below]]

I wouldn’t opt for this myself, but I’ve seen it and would have used it if asked for (or I saw a need for) something more efficient. My default implementation would leave out the top level if wrapper, which is the part that makes it “Double-Checked Locking”.

However! It gets horribly complicated, my friend’s interviewer took issue with this implementation. The explanation being that a compiler implementation has the right to decide to assign pInstance to the allocated memory prior to actually executing the class construction code. This was met with disbelief, and when I was told about it I had a hard time believing it too. But things really can be this bad, for an in-depth coverage of the problems with the “Double-Checked Locking Pattern” have a read of this paper (PDF) by Scott Meyers and Andrei Alexandrescu (found in this DDJ article, page 4).

What a nightmare.

It reminds me of something someone I used to work with always said about the C++ standard: “watch out for the weasel words”. More clearly, watch out for the things the standard doesn’t promise.

My friend did get the job, despite the disagreement, and it sounds like a good one. Congratulations! Todo list for first day: eat humble pie. Or maybe: debate practicality of DCLP given constraints of known compiler and platform behaviour and the possible requirement for performance over portability? 😉

On a totally random note, why do so many well-known artists have (supposedly official) MySpace pages that totally suck? Try reading this, or this. (Ah, the aural fun of opening multiple myspace pages.) Maybe their web designers just can’t handle working without 100% flash?

“Vlad calls it the evil color.”

Classic, I now have a new favourite colour.

[Written mostly after I left InfoSec on Wednesday, but not cleaned up and posted until Sunday — no rest for the restless.]

Phew, I just escaped from InfoSec. I have serious respect for the sales and business guys who manage to make these conferences a productive experience. I come at these things from a technical perspective and there just isn’t a good mesh between me and the “guys in suits”. Mostly because they want to try and sell me things and as soon as they realise I’m not in the business of buying things and, worse, work for a company that might want to sell them things they squirm. Of course, I’m “just a developer” so I guess I shouldn’t feel bad about this, at least I had some good discussions with people we already know.

In general InfoSec was an interesting show, there’s a heck of a lot to take in there but it’s all very high level (i.e. kindergarten-like talks on rootkits and malware by people I know would like to get into the details but have to tailor for an audience wearing suits). I think that overall the most useful aspect of the show is that you get a very good view on who’s out there, what they do and what their associations are. There’s also a lot of good indicators of what the business-mass is thinking. Right now it seems to be UTMs/Appliances — seriously, every damn company seems to have a range of security appliances these days. If they don’t have their own appliances they line a wall with all the appliances they OEM to. The other thing is a sudden proliferation of web/mail-security-as-a-service businesses. Hosted secure mail solutions everywhere (where we mostly just saw MessageLabs a few years ago). There’s an upwelling of external secure-web-proxy services too — essentially taking the technical overhead of Web/Mail security maintenance away from businesses.

On a work front I met some new developers from companies we’ve had dealings with. In fact, for me this was the most productive element. I learnt some things about people’s first impressions of our stuff, some thoughts worth feeding back to Sydney but nothing we’re not already aware of. It’s also great to meet people you’ve exchanged emails/IMs with but have never met, sometimes just for the surprise of how much they do not match the mental image you have built up! And then there’s the long conversations about search algorithms, and analysis, and similar fodder for geek conversation — something I don’t have as much opportunity for these days. But I must try to remember to keep away from topics along the lines of nuclear powered bicycles and zombies, even most tech geeks aren’t prepared for that stuff.

There were “booth babes” in abundance, so much for PC. The problem is that, while it’s all very well having an attractive woman handing out brochures and the like, it all falls apart if you try to discuss the products/technology with them. Initially I was naive enough to try this (hey, I haven’t been to many of these things), but gave up fairly early on. And what does this lead to? You begin to look at any female at a booth as little more than a pamphlet-stand, most likely including several who are actually sales/tech people representing their companies. I can’t say I have anything against a veritable suffusion of babes, but there is a time and a place for these things and I don’t think a security conference is it. I don’t even think that having to make up for large numbers of fuzzy to semi-fuzzy geeks and large Americans in suits is a good enough excuse.

I was feeling rather drained by about 16:00 so headed out to Seven Dials for a couple of double-espressos at Monmouth… ahh, great coffee. Now we’re having a decent feed at The Wellington on The Strand (they deep fry a good fish, and the Aberdeen Angus burgers are sufficiently meaty though a little plain). After this time to head home, report, then collapse.

Here’s a little tip I picked up from a colleague. If you’re stuck in a Win32 world where the cmd.exe completion setting isn’t defaulted to enable tab completion (like on Windows 2000). Look here: CompletionChar.

To cut right to the important bit, run regedit and navigate to: HKEY_LOCAL_MACHINESoftwareMicrosoftCommand Processor in here you’ll find CompletionChar and PathCompletionChar – change both their values to 0x09.

There are equivalent CURRENT_USERS entries too if you prefer not to do it system-wide.

This is probably only Win2k … I’m stuck in the ancient past here. 😉

My $PS1 is a creature evolved over the years, it amazes me to consider how much accumulated time I must have spent on this simple little critter. For the last couple of years it’s been pretty stable as the simple “u@h:W$” with some occasional colour. I’ve been through phases of executing commands in my $PS1 to add further data (don’t, it fucks with $?) and I have a custom $PROMPT_COMMAND to issue a terminal control sequence to put similar info in titlebars (where I execute a $(date …) to add a timestamp, this doesn’t bother $? though).

Yesterday I noticed a recurring problem… I keep loosing a $? that I’m interested in. Often because I go to another terminal and do something else while something executes, then I return and do something silly like “automatic ls“. Does anyone else do “automatic ls” I wonder, it’s where you run ls for no particular reason — I tend to do it every time I switch to another terminal, also if I’m just looking at an existing terminal and thinking my fingers seem to have a “background ls” function. It’s like looking around the room I guess.

Anyway, back onto the point. This little problem prompted me to redo my prompt and along the way find a better way to do the terminal title:

    ps1xt='[33[1;35m]$?[33[0m]' # Last exit code, magenta
    ps1us='[33[1;32m]u[33[0m]' # Current username, green
    ps1mc='[33[1;36m]h[33[0m]' # Current hostname, cyan
    ps1wd='[33[0;32m]w[33[0m]' # Current working dir (w is full, W is basename), dark green
    export PS1="[33]0;<$?>u@h:w(t)07]<$ps1xt>$ps1us@$ps1mc:$ps1wd$"

So, no more $PROMPT_COMMAND as the control sequence is embedded in $PS1 now (everything within the first […] group). This gives an added bonus of being able to simply use $PS1 substitutions for all the info. The only real difference between this prompt and what I had before is the addition of the <$?> at the start, so now my exit codes will always been in the terminal backlog! (Until I do something else automatic like a ^L.) Also added the $? to the title bar, which works well since I can see the code when I’m in another window frame this way.

One possible annoyance is the extra length of the prompt, the last thing you want is a prompt taking up overt character width. Two possible reductions would be to” 1) remove the u part, how often are you not sure who you are? 2) Make w a W so the CWD part can’t get too long so easily. Given the colour differences you could also remove the punctuation I guess, save yourself 4 chars. You could also stick a n in before the final $ and make a two-line prompt I guess, I used to have one like that (a long time ago when I first discovered PS1 and put everything but the kitchen sink in there).

A lot of people will hate the colourfulness, I hate it myself sometimes. The main function is that I use different colours for the h on different machines so I can very quickly recognise which machine I’m looking at. The rest of the colour is just for the sake of being garish.

<0>yseth@odysseus:~$ls -e
ls: invalid option -- e
Try `ls --help' for more information.
<2>yseth@odysseus:~$ls -e

“:;”? OR Re: Re: Prompt Insanity

Really, one of these days I might do something about comments.

Sometimes I do get upset at my long and garish prompt and blast it with PS1=’>’.

I hit the good old ‘arg list too long’ fairly often, dealing with very large HTTP corpora. I’m rarely in a corpus directory though so this has yet to break my auto-ls habit.

As for other shells, I’m not diverse enough in my shell usage to consider the world outside of bash. I would have thought that .bashrc’s PS1 setting wouldn’t matter there.

Finally, I pretty soon realised that embedding my usual PROMPT_COMMAND into PS1 has some occasional issues – it isn’t “magically invisible” when you have a console login … so now I have made it conditional in a $TERM case…esac
block.

For the “good” of the web:

    ps1xt='[33[1;35m]$?[33[0m]' # Last exit code, magenta
    ps1us='[33[1;32m]u[33[0m]' # Current username, green
    ps1mc='[33[1;36m]h[33[0m]' # Current hostname, cyan
    ps1wd='[33[0;32m]w[33[0m]' # Current working dir (w is full, W is basename), dark green
    case x$TERM in
    xxterm|xrxvt)
        ps1pc='[33]0;$?:u@h:w(t)07]'
        ;;
    esac
    export PS1="$ps1pc$ps1xt:$ps1us@$ps1mc:$ps1wd$"

For random primates, such as myself, friendly spiders and assorted maladroit suckers of all the Internet’s most rank drivel must represent near 100% of our readership. Since, in truth, most people are little better than the few lines of code behind my most frequent website visitors I bid you all welcome. You’re welcome to be my friends Googlebot, Baiduspider, Gigabot, TurnitinBot, Zeusbot, msnbot and the other 65 or so eaters of my robots.txt I have seen in the last year. But those of you who shun my robots.txt, especially those of you lacking decent user-agent strings, can crawl back into your dingy holes with the slugs and worms (I’m looking at you: bots from EZRSSFeeds, WebSense (Konqueror my arse) and other houses of deception). Alas for you, even these clammy denizens of dank and musty places will probably shun your presence.

One of your number seems to have more in common with the leech than any other form of life. To me this nefarious creature appears to propose: “I’ll make it easy for you to steal content to put on your website to fool Google into thinking you actually have content of your own.”.

Highlights:

• No mention of copyright or content ownership on the site, none that I can find.
• The “spider” page doesn’t tell you about the spider employed, it tries to sell you some kind of “spider”.
• The bot grabs RSS with high regularity. (>30 hits in the last 8 days.)
• The bot doesn’t advertise its self via user-agent, it doesn’t send a user-agent string at all. (But it’s IP reverses to the domain name: 147.202.50.50)
• I’m guessing here, but I bet the bot pays no attention to robots.txt! (The IP above started hitting RSS on my site in September 2006 and has never requested the robots.txt file).

I’m blocking the little bugger’s IP now, for general bad behaviour and likely evilness… but that’s only effective up until it starts crawling with a different IP. In truth, if you put stuff on “the Web” there isn’t any way to protect it, consider it “fair game”. With just a little work this bot could be made much harder to identify, since you’re already behaving in a questionable way why not start employing bot-nets to do the surfing, and use some legitimate UA strings! You’re a dumb bot! As a friend of mine might say: no bot-biscuit for you! I think there is a viewpoint floating around that sees providing an RSS feed as permission to play free and easy with the content. People who write weblogs are essentially attention whores so any distribution of their content must be a good thing in their eyes, right?

Now, to some squishy human life-forms: If you’re considering using the service associated with this bot, or anything similar, you might want to consider potential copyright implications. It might be fine, maybe it just provides excerpts and properly references the source, or maybe not. Like I said, their website makes no mention of copyright and their bot doesn’t identify its self, this is incriminating behaviour in my opinion. If it is legitimate why doesn’t it do the right thing?

Alternatively, just write some bloody content you poop fairy.

To the leeches: My apologies if I offended you.

Back to the good bots: Goodnight my friends.