This week on the podcast we discuss RedSun, the latest researcher-disclosed zero-day in Microsoft Windows. After that, we chat about a Europol-lead takedown of DDoS-for-hire services before ending with our thoughts on Microsoft's latest RDP security updates.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplified. I'm your host, Mark Laliberte, and joining me today is
Corey Nachreiner 0:07
Corey the Big Shot CISO Nachreiner, Mark
Marc Laliberte 0:13
feisty, today's episode,
Marc Laliberte 0:17
I'll be doing all the work while Corey just listens along and
Corey Nachreiner 0:21
pretty much teach me about what's happening. That's what I'm here for, right?
Marc Laliberte 0:26
Yeah. Well, anyways, for real, we're going to start with the discussion of red sun, which is yet another zero day vulnerability just dropped instantaneously by a researcher known as chaotic Eclipse, whatever we get the first part of their name. From after that, we'll quickly cover "operation power off" a joint takedown from Euro pool and other international law enforcement to take down distributed denial of service as a service offerings. And then we'll end with a new update from Microsoft to help make people more secure in the world of RDP or remote desktop protocol
Marc Laliberte 1:05
with that, let's go ahead and connect our way in.
Marc Laliberte 1:15
So Corey to start with. A couple weeks ago, Microsoft put out a out of cycle update to resolve a zero day called Blue hammer,
Marc Laliberte 1:24
a researcher called chaotic Eclipse, they published a POC after getting frustrated with Microsoft's vulnerability disclosure program. It forced an out of cycle patch. Funny enough, when Microsoft patched and disclosed the CVE, they did not credit this researcher. They said that their report was initially turned away because they were missing a proof of concept video. They didn't want to deal with it, so they just released the the POC,
Corey Nachreiner 1:49
oh my gosh, I that's kind of the
Corey Nachreiner 1:53
Microsoft's response is kind of dumb, like, if some researcher is giving you everything, including a POC, but you like, okay, maybe I'm interpreting here, but you said POC video. If I was given details for a vulnerability, hopefully it's enough to recreate and maybe even POC software, I think I would reject it, because I don't have a video that
Marc Laliberte 2:16
I'm assuming because they dropped the the actual GitHub repository with the proof of concept back then, immediately after this, I'm going to assume they gave that to Microsoft, and maybe they were just missing the video.
Marc Laliberte 2:32
But So either way, that was back then, the the very first one Microsoft hatched it, yep, didn't give them credit. Just this last Thursday, chaotic Eclipse returned and published another zero day this time, Eclipse or nightmare Eclipse or Eclipse. I thought it was chaotic Eclipse, Eclipse. Maybe their GitHub repository is their. Their handle was chaotic earlier. But anyway, change their name, and by the way, it is. They are, as you can see in their thing they did blue hammer. Interestingly enough, there's an undefend one that's intro you might want to look at after the podcast. Good. Another one. Anyways. So they published another vulnerability, this one local privilege escalation to system by abusing how Microsoft defender interacts with Cloud synchronized files and the vulnerability. It's a little bit complex. We'll walk through it and some of the pieces of it, but I came up with an analogy, I think that kind of explains what's going on with this. So Microsoft defender on your computer is like a janitor. They run at system privileges, meaning they've got keys to every single room on the computer, and they are responsible for finding dirty things and cleaning them up and putting things back where they're supposed to belong. That janitor picture, they come across a box hanging out in a room, and that box has a sticky note on it that says, Put me in the master control room, and the janitor, without verifying what's in the box or whether it really belongs in the master control room, just picks it up and puts it in there, and then out pops someone from the box, and they take over the entire building. That's effectively what's going on in this vulnerability defender is trusting something that it's getting from one of these cloud sync providers that we'll talk about in a second, causing it to move or download a file into a place where it should not be downloading it to.
Unknown Speaker 4:33
There's a couple of like components in Windows that you'll need to, at least have to go further mark, because I see they only posted the image of it, not a video. So I think we should reject this vulnerability. It can't be real. It's not like they didn't post full code showing how it works. So I sense your sarcasm. I'm I'm actually kind of on the fence on this, like, obviously Microsoft was wrong. They should have accepted the report.
Unknown Speaker 5:00
Or they should have credited the researcher for the first one, and they should have worked with them a bit better. The only thing that like to play the like devil's advocate, Microsoft is a very large company, and I'm sure they receive 1000s of vulnerability reports on a weekly basis, maybe on a daily basis, and I could see why they might have, like, a baseline requirement that if you're submitting a report, you need to, like, screen record the proof of concept to try and filter out some of, like, the AI generated crap that they're going to be getting, probably on a even higher level than we are at Watchguard. So it's like, I'm a little sympathetic. Obviously, if that is a requirement, it proved out to burn them and tick off this researcher. But anyways, sarcasm,
Unknown Speaker 5:50
reviewed and accepted.
Unknown Speaker 5:53
Let's get back to the vulnerability. Actually, we were showing the GitHub, but as you talk about it, I've brought up another article that we can use while you're talking. Yeah. So first things first, Windows has this concept of a reparse point, which is basically a redirect that's built into the Windows file system. When you have one set up, if you open up a folder, Windows can silently say, actually, don't open that folder. Open this one instead. And this is the mechanism behind like OneDrive virtual folders. If you have a one drive enabled on your Windows computer, you've probably noticed those virtual folders where, when you click up, like documents, it loads up your My Documents directory on the local file system. This mechanism behind the scenes happens at the kernel level,
Unknown Speaker 6:40
meaning it's on its own protected but it opens up some additional permissions or potential access points another piece so Cloud Sync providers, one drop, OneDrive Box, Dropbox can all register as a cloud sync provider through an API built into Windows, they can Then drop a placeholder file into a folder which windows can then rehydrate by downloading the full file again. Anyone that's used OneDrive before, you've probably noticed, like the grayed out or with the little cloud icon, files that like, quote, unquote, exist in that directory but haven't been downloaded yet, versus the ones that you download a copy onto your local file system, so you actually have the thing there to use. So all of that, like kind of works behind the scenes in Windows, and it opens up this interesting attack scenario where the researcher found that an attacker can register a folder as a cloud sync provider through the API. So this all starts with an application they have to run. So they have to be able to run code on the endpoint. This is just letting them run any arbitrary coded system. So they start by registering their folder as a cloud sync provider, let's say, like evil box.com doesn't matter. It doesn't have to be a real one. They then drop a placeholder file into that folder, and specifically a placeholder file that has a malware signature, like the ICAR test screen test string in it, for example. They then stamp a reparse point on that sync folder, redirecting it to see Windows system 32 like the most privileged of privileged
Unknown Speaker 8:14
directories and windows, where all of the important internal applications live, they're basically saying, Oh, if you open this folder, no, go open see Windows system 32 instead. So defender sees the signature of that placeholder file and decides it needs to clean it up. It then follows the origin path back to the attackers folder. The kernel intercepts that path traversal, fires that reparse redirect and sends defender to see Windows system 32 instead. Now defender attempts to rehydrate or retrieve that full file from the placeholder one, which basically downloads the file from the attackers controlled fake little cloud thing into the C Windows system 32 directory. So the attackers cloud sync provider and their proof of concept delivers and overwrites the legitimate tiering Engine service dot exe, executable, and then the proof of concept triggers the tier management system executing that code they ran as system out of C Windows system 32 so basically it lets them trick defender into just dropping a malicious file in the really important system, 32 directory, which causes other things to load it up and run it as system easier security products to load malware. Sounds great. It sounds great. This one's interesting, where it feels like it might actually be pretty difficult for Microsoft to like, patch or like, defend against like, I could see where they maybe they could just like, add a filter where you can't add a reparse redirect to see Windows system 32 just like, globally, maybe they have to add some sort of filter.
Unknown Speaker 10:00
Defender to say, like, Don't rehydrate files and these known, sketchy or important directories, like, they might have to get a bit creative, because I'm not sure they could just, like blanket fundamentally change how Cloud Sync providers work or how their vparse points work. This is all like
Unknown Speaker 10:18
then theory, how these tools are supposed to work in silos. It's just combining them all together causes this vulnerability on the endpoint. But yeah, it is interesting seeing defender being the one enabling a privilege escalation to system
Unknown Speaker 10:36
as of this recording, which is, I think, two days after the proof of concept was released, there's no CVE for it. It is still unpatched in Windows. Slash defender. The proof of concept code is on GitHub. Interestingly, Microsoft has not taken it down yet, like they have historically with other zero days you were showing it a second ago, yeah, and
Unknown Speaker 10:59
I'm sure even if they did try and take it down, it has been copied and cloned and forked all over the place. So it's cats out of the bag. That's cpp files everywhere.
Unknown Speaker 11:09
Anyone, I guess, to the GitHub could have, just like, in a second, downloaded the zip of everything.
Unknown Speaker 11:15
I guess, like, like, the kind of silver lining for this, it is just a privilege escalation. It's not like it requires, yeah, it requires that local access in order to do so, yeah, but those are still valuable vulnerabilities for attackers, where, like, the first thing they do once they gain access to an endpoint through something else, is try and escalate the system, which opens up a whole nother avenue of credential theft and other lateral movement opportunities within a domain. By the way, while I wasn't showing screens to go with what you were sharing with us, I was looking at undefend. Undefend is only five days old. It was only posted three days before this one. It seems to be only like local privilege escalation, and is more a DOS tool to defender, though, but it looks like it has the capability to in two different modes. One mode is passive, it can dos defender from getting updates from Microsoft, and the other way is aggressive, and it can completely disable it, but only in certain cases or Microsoft push doesn't update. So for those interested that you know, a five day old, I presume also zero day, although probably less severity still local and just a DOS is
Unknown Speaker 12:31
also on nightmare Eclipse, now that they've changed their name for whatever reason, repository as well.
Unknown Speaker 12:38
I'm, uh, I'm looking forward to seeing whatever their Christmas presents they drop for us over the course of the next, like two weeks, because they seem to have a vendetta at this point of against Microsoft. It seems a little hammer. Yeah, I don't it's I, actually, I Microsoft is doing a good job, in general, trying to update security vulnerabilities. But I feel like, in this day and age, taking a researcher not taking a researcher seriously is not good.
Unknown Speaker 13:10
Yeah, not good at all, and we never know. I guess it goes both ways. We have also experienced external researchers that are more into
Unknown Speaker 13:19
blackmail, and extortion and forcing bounties, so who knows. And like I said, like, I'm somewhat sympathetic to Microsoft, like a company of Microsoft size, having more strict reporting requirements just to filter out all of the AI slop they probably get. But
Unknown Speaker 13:39
this is random, but it's interesting to anyone else. That takes things like threat reports, but we have a very official product security incident response process here at Watchguard. Mark did a lot to build that so very proud of it, but once you have an email address that you publish, you start to get really interesting emails. So the slop is no joke, I would say at this point with one random BS type thing to that thing a day, you know, we're probably only getting 30% real stuff to that email. Yep, the future is here, and it sucks. It's sloppy. It's sloppy. Anyways, moving on. So last week, Euro poll announced a coordinated action involving 21 countries against what they said were 75,000
Unknown Speaker 14:32
cyber criminals engaging in distributed denial service for hire services or booter services. As part of the action, they sent 75,000 warning emails and letters to
Unknown Speaker 14:44
criminals. They identified they made four whole arrests, they executed 26 search warrants, and they seized 53 domains related to these services. Now they put out a press release that was pretty interesting, and.
Unknown Speaker 15:00
Um leading up to the action, they also talked about some of the efforts they did, including seizing infrastructure related to some of these booter services, including like the servers and the databases involved
Unknown Speaker 15:14
that gave them access to all of the user accounts that existed on these services. So They even found 3 million active user accounts across all of these booters and stressors and DDoS as a service tools, and they use that to then go find an arrest, or in some cases, just send a nasty warning email to them, which find an interest, like a warning email feels like the least intrusive option they could have done, and have to maybe if it went to like a 13 year old, they'd get scared, but I don't know, I feel like I'd immediately write that off as a fish or something.
Unknown Speaker 15:53
But they mentioned also that the operation is now moving into what they call the prevention phase with additional campaigns. They're going to buy advertising space on Google with targeted messages towards young people searching for DDoS for hire tools. They're removing 100 URLs advertising DDoS for hire services from search engines. They're sending warning messages on blockchains used by criminals to make payments for them. And then they're also going to continue updating their operation, dash, power off.com website with additional stats. The first one was interesting. Like, when I think of the maybe not the typical, but a large portion of a user base for these tools, it's like the kid that got pissed off, that someone cheated on Minecraft, and they want to go take down the server, and they go search or agree for like some person that got upset that he lost on fortnette, so he DDoS is the person that beat him,
Unknown Speaker 16:51
or is that the Fortnite? Fortnite, Oh, Grandpa. Fortnite, sorry, I gave away that. It's not my cup of tea. No, I can see that.
Unknown Speaker 17:05
I wonder how much like one of these ads will actually mean to like a kid or a young adult or something when they go to Yeah,
Unknown Speaker 17:15
and instead of getting but probably about the same as how much the this is your brain on drugs. Nancy Reagan's frying an egg ad worked on all the Gen Xers who definitely don't do drugs, sarcasm, sarcasm, or maybe the you wouldn't download a car advertisements from a bit more my time.
Unknown Speaker 17:39
I'm sure that stopped all the piracy.
Unknown Speaker 17:43
Anything there? If you could download a car, you absolutely would
Unknown Speaker 17:49
3d printing. One day I want to print my own car, please.
Unknown Speaker 17:54
As someone in the market for a new car, if I could just download one instead, that would be amazing.
Unknown Speaker 18:01
There could be some like,
Unknown Speaker 18:05
there are people that are okay with being totally criminal, and people that are goody two shoes and people that are no they don't really want to hurt anything. It could be good for helping, like, people that aren't really trying to hurt things not to do silly stuff. See, like, some psychological, some psychological element in this, where, if they went to go search for this and they saw something from like the fbi.gov is the topic, hey, what you're doing is illegal. Maybe the thought would be, Oh, crap, I'm being watched. And then not that. That is, I think that's a bigger thing. That's why I think all the forum takedowns that get replaced with authorities. Badges are good psychological thing for the people that aren't really in it for the money, that are just so I agree with you 100% on that. And for a lot of like underground forums, like the ones that host these booter and stressor services
Unknown Speaker 18:58
anytime they have like a service disruption, and then come back up in like, a somewhat working state, like I tend to see a lot of posts pop up in them saying, Oh, it's been taken over by Leo, by law enforcement, for example. And it sounds like in this case, that actually was, maybe there wasn't a service disruption, but at least for a period of time, these services were taken over by law enforcement, and they were able to extract the user databases, and that shows kind of the power that international law enforcement has in gaining access to users that might ultimately lead to arrests too.
Unknown Speaker 19:33
I would just say if you're on the internet in any way, if you don't think that your ISP law enforcement, or if you think everything you're doing is hidden, you're crazy. And unless you have the best OpSec and VP and everything through proxy, yes, I agree with what you're saying, the law enforcement can get into bad guys infrastructure and learn about who's doing it. And by the way, if you're someone doing.
Unknown Speaker 20:00
In this you're throwing like, if you're not a crazy, super tradescraft OpSec type, security minded person, you're giving tons of information about everything you do to multiple parties every day you have a computer online. So
Unknown Speaker 20:17
I personally don't think crime or cyber crime pays well enough. I don't believe in it ethically, but I don't think it pays well enough, unless you have to be pretty elite to cover your tracks now or live in some sanctioned country that doesn't give a crap and will never give you up to the authorities, but you better like that country, because you probably can't leave it elite, meaning, like a tails VM on a burner laptop connected to the library Wi Fi from the parking lot using Tor to log in, or at least a tunnel with not enabling JavaScript and making sure to get the tails updates all the time, because even the Tor browsers and the tails distros have vulnerabilities and and and adding five of your own custom proxies on top of what tails automatically doing for you, because nothing is perfectly trustworthy. Have you read tail source code and make sure it hasn't been Yes,
Unknown Speaker 21:13
you make sure that authority like this is this. This is the war that's happening among the real advanced nation state actors, in my opinion, or more realistic, AI to it where, if you're not capable of doing all that, someone is writing the agent that is,
Unknown Speaker 21:33
or more realistically, you're connecting from your home in Russia, and none of this actually matters. Yeah, then you then you're fine, as long as you like, never go on vacation forever.
Unknown Speaker 21:43
Exactly, because, wasn't it, it was the guy that hacked LinkedIn was arrested when he went on vacation to Prague and extradited the US. Some of the ones in Ukraine were actual Russian individuals that went to, like, it's there are apparently some countries that don't that look the other way, but you better really, really like that area of the world. Yep. But hey, you know what good news? We just shut down a bunch of more stressor services. So hats off to Europe pool and the consortium of law enforcement. Yeah, we're good news on our podcast. I've got some more good news. Corey, oh yeah.
Unknown Speaker 22:23
So Patch Tuesday was this last Tuesday, which introduced a behavior update to the Windows Remote Desktop Connection client to help train users into making better decisions with RDP files.
Unknown Speaker 22:37
So I'm going to start right away with we.
Unknown Speaker 22:41
We we are technology nerds. You might think I've given some of it up with my fancy C level title now, but we, I think we like really technical, cool parts of security, hacks and stuff like that. But I like this one because, as the CISO, while you may joke, I don't do real work, I think the human side of information security is actually the more important side. I think things like most breaches aren't using this zero day we're talking about there has some dumb stolen credential because some user did something they didn't do or didn't look at a pop up when Excel told them there was a macro. So I think what you're going to be getting into is some changes that are more trying to affect user behavior, and I think they're just as important as the technical stories, is all I'm saying. So let's get into it. Keep going. Let's get into it. So for those that have never touched a Windows computer before, a RDP file is effectively like a connection profile with instructions to tell Windows how to connect to a remote computer who would have, like, its IP address, its username and password, even some connection settings in there, so that if you just click the profile, it automatically opens the RDP client and connects to that remote system. It's a nice, easy button file, but it's also a freaking file that may have embedded a lot of critical, sensitive information you don't want getting out. Yep, because RDP exposes resources from the client to the destination, also it can expose local storage drives, so the local file system can expose the camera the clipboard, so anything you copy and paste is visible on that remote destination with the right settings, meaning like you're not totally sandboxed from what you're connecting to. And so if you can trick a victim into connecting to a malicious destination, you can take actions up to interacting or at least reading things off the file system, or stealing anything out of their clipboard, like passwords they might be copying around.
Unknown Speaker 24:41
So one social engineering technique involves sending an RDP file through a phishing email, sometimes directly attached, sometimes in a zip archive with a hook, trying to trick the victim into opening it, thinking it's like a document or something. When the user opens the file, their device will silently connect back to the server.
Unknown Speaker 25:00
Under the attacker's control, and often share local resources like clipboard or even storage systems too. So the updates Microsoft are adding that help draw attention to the risk from these files for users that may not be aware of it, the very first time that you open an RDP file after the latest Windows Update, it will get a big warning, or, I guess, a small warning that pops up, explaining the risk associated with it, and even linking back to a pretty helpful learning center, Learning Center documentation that Corey showing on the screen right now for the YouTube viewers. By the way it is designed, that it can be a first launch dialog, meaning that you can click something that says, I understand this, and in the future, I don't want to see this again. Essentially, my recommendation is I, I almost want my users to have the continued nag. I don't I like it's good that there. I know they as a vendor that sometimes has to do what the customer wants for convenience. I guess they it looks like they leave that dialog unchecked. So the default will be to show it over and over again. If you simply sit or actually, I maybe you can't. It looks like okay is grayed out. I would be a little disappointed if you can check that and say okay, and it doesn't come up every time.
Unknown Speaker 26:23
Yeah, so if it allows you to okay it, I would recommend not checking that so users get a reminder right now it is the first run. They have to click the I understand and allow RDP files to open on this device before they can continue. But that is only displayed once. It's a bummer. After that there is for a power user. Don't get me wrong, if you know what you're doing, you want that box to be an option, but I think, I think they should allow you to pass the dialog and have a repeated run of that dialog as an option, unless you click the box.
Unknown Speaker 26:59
I know. No, you listen anyway, let's keep going. Yeah, after the next one, because it kind of plays into the next bit. So after that first run, every RDP file that opens has another dialog that pops up too. So RDP files can be digitally signed, just like any other application on Windows you've probably seen. When you run an executable for the first time, it pops up a window telling you a little bit about the developer and the certificate used to sign it. When an RDP file is not digitally signed, Microsoft is going to display a orange warning to the user that says that they can't verify the identity of it. When it is digitally signed, they get a slightly different banner. It's yellow in this case, and it just tells the user to verify the publisher. So here's where my recommendation would come in, like, I feel like everyone's going to ignore those two banners when this pops up, because they tend to ignore those types of banners on everything else that they use, like Word or Excel, like you mentioned. But I would like to see some mechanism where,
Unknown Speaker 28:02
on a per destination and credential basis, maybe they would get a warning, but they could accept it for that destination credential, but for any other new file, like continue, getting warnings, I see, and maybe the same with the certificate, if it's a known even if It's a known certificate, maybe there is an option to accept that known certificate connection as one you keep, and it doesn't warn you. I will say, the one thing issue I have, like the second one, the digitally signed verify publisher, is technically, if the ecosystem worked perfectly all the time and implementations work perfectly, this is, you're right. This is a nice fail safe on top of not having the first dialog, my issue is, and I'm thinking, I can't think of a specific example, but I can think of it for web. If you think about web domains that are also digitally signed in a slightly different way, but same general concept. There are many products you use that end up having self signed certificates that fail security checks, and would have this that people get used to just accepting because they know it's a self signed product, and that really is the Products page. I'm not sure, but I wonder if there's situations where there's some sort of product or connection that would have to have something self signed, and thus would not like just having no verifiable publisher. According to people that have gone through Microsoft's process for that, I don't know if that really tells you if it's legitimate or not. I feel like there's probably some legitimate use cases where, unfortunately, something about the RDP use case might end up with non verifiable publisher, but I don't know, for for, like, systems administrators or MSPs, like, if you're going to give a user an RDP file, you should make sure it's signed with, like, their domain certificate, so that it doesn't display the big, ugly orange warning, it displays the slightly happier yellow warning.
Unknown Speaker 30:00
And telling them to
Unknown Speaker 30:01
at least verify that box of who the publisher is,
Unknown Speaker 30:07
but that takes developer knowing all this and doing the right thing. By the way, here's the slightly happier warning,
Unknown Speaker 30:14
Yep, exactly. So it's still a good step in the right direction, but I don't think this is going to solve the issue of RDP file phishing. Now that's not the end of it, though. They also with an RDP file, the resources exposed from the client are called redirections. By default, these files will have all redirections disabled, things like drives or clipboard or webcams or even webauthn credentials. It's like Windows, hello, stuff like that, and the user will have the option to select one or more of them to enable on a per file basis. So I'm hoping that, by the way, in the dialogs we were showing before, whether it's it's signed or not, you can pick which ones you want to allow. So I'm hoping, like, the combination, users are used to seeing that all the time when they accept new apps that have different permissions as an analogy, yeah. I'm hoping the combination of like that cryptographic signature, the additional steps they have to do to enable, like, the risky portions of the remote desktop, will make a meaningful impact. But like we still see, social engineering is pretty good at tricking users into clicking stuff, copy pasting commands, whatever one of my issues is, I started this whole thing saying, I really do. I actually think products trying to give non technical users advice around potential security risk is good, but we just had a complex discussion to know what verifiable publisher versus not verifiable publisher is having to know what redirections mean to all. And, you know, web auth N, yes, they say, windows, hello, that might like what non technical user really understands all of this. So
Unknown Speaker 32:00
it is good, but I like you say,
Marc Laliberte 32:05
maybe 50% of users don't even know what's going on, and just keep on hitting the next button that they need to to force the connection to happen. But hopefully in this case, if they hit the next button that doesn't expose any of those redirects, so it's a relatively harmless The default is everything is unchecked, yeah, and, like, maybe I'm a little more cynical than you, even where, even if it is, like, good training that maybe they wouldn't understand, I'm willing to bet most people won't even click that link and read the information in it. Either they'll just immediately go, sounds great. Let me go click the okay button, and then
Corey Nachreiner 32:41
it's a nice reminder for power users, though, like, if I saw that, I would pause, but yeah, either way, I think you're right that the defaults are more secure, that they don't allow those redirections by default, and they are giving people the opportunity to make the right choices. It's still no like with any company, I wish we could use for secure defaults, but we sometimes have to give customers choice because they'll complain otherwise, but it looks like they can still hurt themselves if they don't choose. Right?
Marc Laliberte 33:11
Yep, but hey, even an inch forward is still forward progress. So,
Marc Laliberte 33:18
well done, Microsoft. That's one more point for the negative 10 points that you got for that vulnerability, response, earlier,
Corey Nachreiner 33:28
step forward, or one step back, and maybe a couple for if I'm feeling nice or the opposite, if I'm feeling the opposite,
Marc Laliberte 33:37
which, judging by today, I'm assuming it is the opposite.
Corey Nachreiner 33:43
Up in the air. You guys decide how I feel.
Marc Laliberte 33:47
Yep, well, good luck to everyone and navigating
Corey Nachreiner 33:52
the worst state to be that is the worst state.
Marc Laliberte 33:56
And good luck to everyone on navigating your users through these scary New dialog prompts. Hey,
Marc Laliberte 34:05
Hey everyone, thanks again for listening. As always. If you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to us on the social medias. I'm at Blue Sky at it's mark.me corey's secadept, both of us are on Instagram at Watchguard, underscore technologies.
Marc Laliberte 34:29
I think that's it for the socials, right? That is cool. So thanks again for listening, and you will hear from us next week.
