I have been dealing with situations like this for years, working with computers in a small school and at a nonprofit volunteer organization, shared by many. It seems that whenever I turn on any of these machines, the background is set to something ugly, the screen resolution is weird, there is some cute animated mouse cursor, and someone has left their most intimate secrets in a document on the desktop.

Microsoft Steady State solves all of these issues by providing a means of creating a golden configuration that is restored to absolute perfection the next time the machine is rebooted. But download it before the end of the year, when it will be pulled by Microsoft!

Steady State Magic

This free product gives you the ability to configure accounts on your XP or Vista machine with several fine-level access controls. For example, you can prevent users from changing screen settings or prevent them from writing to anywhere other than their personal “Documents and Settings” directory.

But by far the coolest feature is the ability to turn off hard drive writes altogether. When you do this, Windows slips a layer between the OS and the physical hard drive that intercepts and tracks all hard drive activity during a session. During the session, the user can browse the web, create documents, install programs, whatever…but when the machine reboots, the cached list of hard drive changes is discarded completely: the hard drive is restored to the way it looked before the user booted the machine.

What can you use this for?

There are many places where a completely protected machine would be of great use…

• A shared computer in a public area, like a hotel lobby
• A home computer that is used by the kids and the cat and the dog
• Computers in a school or library setting
• Shared computers in a setting where many different workers use the same computer

Anything to worry about?

• All of your users must remember that everything must be saved to a USB stick before reboot. Steady State warns you of this every time you reboot the machine.
• There are some annoyances that might happen, such as that silly “Desktop Cleanup Wizard” popping up every single day because it thinks it hasn’t been run in five months, or “New Programs Installed” balloons that come up every single day because, again, the machine is restored totally to day-one upon reboot.
• Microsoft is killing the product at the end of the year. Now it will likely remain functional for XP and Vista, but they are not upgrading it for Windows 7. But this is too cool a product not to try out. In theory, you could create a steady state machine today and keep booting today’s version of Windows XP for the next five years.

Additional Features

With the hard drive protection enabled, you can add programs at any time from an administrator account. When you shut down, Steady State will ask you if you want to commit your changed hard drive data to the Steady State disk image.

Even without the hard drive protection enabled, you have plenty of security constraints you can enable for other users to keep them from installing their favorite annoying toolbar and blinking mouse cursor. Think of this as a poor-man’s version of the domain policy tool used in enterprise environments.

More Information

• Microsoft Steady State. How to remotely remove and retain changes on lab computers.
• Defending the C disk with SteadyState from Microsoft
• Alternatives to Steady State for Windows 7: Creating a Steady State by Using Microsoft Technologies
• See Episode #129 of Steve Gibson’s Security Now podcast: Security Now! Episode Archive

Conclusion

I did not understand just how slick a tool this is until I installed it on a spare machine. It took about fifteen minutes to configure things right, but that machine has been running for the past few weeks with the locked-down golden configuration. Whenever it reboots, it looks exactly as it did when I installed Steady State.

Give it a try before it’s too late!

This belief was based on the understanding that only those with supercomputers at their disposal would have the computational ability to trundle through all of the permutations needed for a brute force attack against our jumble of weird symbols.

Richard Boyd, of the Georgia Tech Research Institute, told the BBC that the number-crunching capacity of graphics cards compares to those of supercomputers built only 10 years ago.

— The Register

Huh?!

The modern bleeding-edge graphics card, normally the purview of hardcore gamers, packs sufficient mathematical muscle to compete with not-so-old super computers?

In other words, not only do we have to worry about black-hats who can command arrays of hijacked home computers to take down sites like Twitter and Facebook at will, but they now have mathematical might at their disposal that we normally associate with scientists and three-letter government agencies.

Read all about the demise of the short password here:

Short passwords ‘hopelessly inadequate’, say boffins (The Register)

Doom and gloom?

Fortunately, from a password security point of view, this kind of computing power is most useful to hackers who have access to the encrypted password file from the server—a file that is hopefully treated with extra special care to prevent others from seeing it.

The hacker simply runs every possible combination of umpteen funny characters through well known hash algorithms until one particular choice hashes perfectly into the stolen encrypted version. Then he logs into your Lego account and orders more Star Wars Lego kits.

If the hacker does not have the list of encrypted user passwords, he cannot run this process on his über cruncher machine in isolation: He must make a login attempt with each password. And most systems start inserting longer delays, and eventually blocking logins altogether, after three or four failed attempts.

An ominous sign

Password hacking aside, there is a more sinister problem facing us…

Large powerful government agencies do not spend all of their computing horsepower trying every possible ten-character password to crack a Unix login, do they? They are more concerned with modern hard encryption technologies, the cornerstone of e-commerce and our trust in the Internet.

The time is near when these fancy 128-bit AES keys will fall prey to ne’er-do-wells with nothing more than a tricked-out gaming machine.

And I want to be able to treat a PDF file exactly as I would a sheaf of printed pages.

Then along comes someone who exploits yet another bug in someone’s PDF renderer. A few months ago Acrobat Reader was all over the news. Today I saw that all of the cool kids are jailbreaking their iPhones using a simple web site that exploits a PDF defect in mobile Safari in iOS4.

And if the slick website can inject code that does something as profound as jailbreaking your iPhone, it should be child’s play for a black hat to use the same thing to take over your iPhone and ring up millions of dollars of charges to some telephone extortion outfit in a remote part of Africa.

I guess all of the fancy PDF features are a double edged sword—recall that Active-X controls and DDT were both amazing and powerful when they were introduced, but the improper use of both have sullied their good names. I just hope that the goal of a pure paper replacement standard is not lost and that these events do not cause PDF to become a marginalized technology.

How I’d Hack Your Weak Passwords (onemansblog.com)

The author starts off with a list of the top ten passwords, and how he would go about finding the personal information needed. For example, number 1 is “Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)” and number 2 is “The last 4 digits of your social security number.”

The really interesting bits are when the author explains exactly how he would approach hacking your accounts, and how likely he would be to succeed. Unfortunately, the tools needed to engage in this kind of mischief are readily available and do not require great skill to employ.

Some key protection points include…

• Don’t use the same password for all of your online activities. Use different passwords for each site. That way, if your Facebook password is compromised, your Wachovia password is safe.
• Never use dictionary words, names, or other common passwords.
• Look for a trusted password management utility to help ease the pain of having a hundred different passwords.
• Your email is one of the most important and critical passwords—a criminal can use the “reset my password” feature on many shopping sites once they have access to your email account.

Take a look at the article and see if you can make some changes in the way you handle password security so that you don’t get hacked!

Imagine that you were to become temporarily incapacitated for whatever reason…

• Can a family member log in to your computer, as yourself, in order to access your files?
• Can your spouse access your online banking details so the bills can be paid?
• Can your family find your insurance information that you scanned and filed away?
• Is there someone who can log in to any online accounts that need care and feeding?

Not a pleasant subject, indeed, but one that worries me from time to time.

One way to address these needs is to keep all of your passwords and so forth in one special place, using a password safe application, and make sure someone else has the access code. For example, you can use a tool such as 1Password or SplashId to store hundreds of secret bits that you use all the time, and your family might need.

You might consider writing down the master passwords that control your life and sealing them in an envelope that you provide to a trusted family member. Since this is such a great security risk if found by the enemy, you might want to omit any identifying information from the note. Impress upon them the need to secure the document very well.

Perhaps you can choose the same master password with your spouse, with one relatively short password locking your computer and a long secure password locking your password safe application.

Regardless of how you address these issues, sit down with your better half (or trusted family member) and review where documents are and how to access them.

Apparently this is not the case

It seems that the TSA has leaked their official document of airport security guidelines. ABC News says Online Posting Reveals a “How To” for Terrorists to Get Through Airport Security

A Rookie Mistake

Look at the screenshot of the document at the top of this post. Even though a certain part of the document has been blacked out, it is possible to select the text and copy/paste to find out what is hidden behind the black text.

What kinds of things are listed in this document?

• Photographs of all kinds of official ID cards. Ever wondered what a U.S. Senator’s ID card looks like?
• Procedures for calibrating equipment, such as where guns should be hidden for the testing and such.
• Guidelines for who gets searched and who doesn’t.
• Guidelines for what objects get searched and which don’t.
• And much much more!

In other words, this was a most unfortunate event.

See for yourself—ABC News (and others) have posted the document with redactions removed.

Easy as Pie

Here’s a screenshot of the original document, opened in Adobe Acrobat Professional.

As you can see, it was a trivial matter to use the TouchUp Object tool to gently slide the black rectangle off of the secret stuff (I have blurred the text here, though you can read it from ABC News if you wish).

If you are working with confidential documents that could potentially cause disaster if leaked, please learn how to redact your documents correctly!

I was reading a post on a board I frequent where a person was describing exactly this kind of activity—removing sensitive information from PDF documents. Several suggestions were made, but one individual suggested opening the file in Acrobat Pro and replacing the sensitive text with good old Lorem Ipsum.

It was at that moment that I recalled a peculiar feature of the PDF file format: it is designed to support nondestructive updates, allowing people to make vast changes to a PDF document while still retaining the original document, fully intact. I did a few experiments and was surprised with the results.

A Brief Note on the PDF File Format

For the geeky types among us, one place to begin is this article:

Portable Document Format: An Introduction for Programmers

The key points to get out of the article is this: A PDF document is comprised of several distinct sections, a Header, a Body, an “xref” Table, and a Trailer. At the very end of the file you will find the character sequence %%EOF

The PDF standard was designed to allow multiple updates to a document, while retaining the original version. This is accomplished by appending anything new to the end of the document, after the original EOF tag. The document will now have two EOF tags: one indicating where the original document ended, and a new EOF tag indicating where the new changes end.

If we wish to revert PDF changes, it should be a simple matter of opening the PDF file in a binary editor, searching for the first EOF tag, and deleting everything following.

A Simple Experiment

Let’s start with a proper secret document containing missile plans…

Suppose we want to obscure some special information in paragraph 37. We can open the file in Acrobat Professional and use its text editing features to swap in the venerable Lorem Ipsum text.

Here’s what it looks like after the switch:

You can see here that the first seven lines of text starting on paragraph 37 have been replaced with appropriate unreadable text.

Now, open the new PDF file in a binary editor (since PDF files contain a mix of text and binary, the editor must be a binary editor).

Note the %%EOF character sequence embedded in the text. This is the first EOF tag, indicating where the original file ended. All we need to do is place the cursor to the right of the EOF and delete everything to the end of the file.

Once we have done so, it’s like magic:

The edits that replaced lines of paragraph 37 with gibberish have neatly been undone!

More Details

From the PDF Intro document linked earlier:

“The trailer, it turns out, plays an important role in the way PDF implements incremental updating. The key concept to understand here is that a PDF file is never overwritten, only added to. That goes for all portions of the PDF file – even the trailer itself, and the end-of-file marker. In other words, a multiply-updated PDF document may contain multiple trailers – and multiple end-of-file markers! (There may be numerous occurrences of %%EOF.) Each time the file is edited, an addendum is written to the tail of the file, consisting of the content objects that have changed, a new xref section, and a new trailer containing all the information that was in the previous trailer, as well as a /Prev key specifying the byte offset (from the beginning of the file) of the previous xref section. The cross-reference info will then be distributed across more than one xref section. To access all of the cross-references, the reader must walk the list of /Prev keys in all the trailers, in reverse order.

Space doesn’t permit a detailed exploration of updates here, but you can find several examples in Appendix A of the PDF 1.3 specification (available at http://partners.adobe.com/asn/developer).”

Summary

It is important to understand that the PDF standard allows for appended updates to files that leave the original document intact, regardless of how drastic the changes are. If you are intent on redacting text from PDF documents, do not depend on simply deleting the secrets using a PDF editor—you must use a proper redaction tool that addresses these issues correctly.

That said, I did some experimenting with a few utilities (Apple Preview, PDFpen, and Adobe Acrobat Pro) and found that some write the file from scratch each time, with no lingering cruft from former versions, while others respect the original intent of the PDF standard. This means that you can’t trust that older revisions are being retained in your file and you can’t trust that they aren’t.

Be conservative: use a redaction tool for secrecy and proper backups for versioning.

Their network security department very kindly (and politely) informed me that they had received a “cease and desist” order from a particular game publisher. They had included the game publisher’s email, complete with the incriminating evidence.

There it was: logs showing the MAC address of my cable modem being involved in suspicious BitTorrent activities.

Considering that at any time during the week there can be from two to six or seven different teenagers hanging out in my humble abode, carrying virus-ridden machines, the message was clear: I had to get serious about locking down network access

The Problem

I would have liked to have bought some net filtering software to slap on the offending machine and been done with it, however I knew that this was insufficient.

Even if this one event could be traced to a youthful source, a more ominous danger comes from the inevitable malware and viruses that teenagers collect on their machines as they swap cool stuff with their friends.

Complicating things, there are many devices on our home network: Besides their school laptops, the kids have video game consoles and one has an iPod touch, all with wifi access. Think about how many different gadgets are on your home network.

And shutting off access altogether was not an option—there is still schoolwork to be done!

The answer: A Private Network for the Kids

My solution was to put together an unusual network configuration using a second wireless router; I wanted the ability to manage every single kid-owned device at the flip of a switch, while leaving the grownups untouched.

I hooked the cable modem (red) to the main router, shown in green. I then plugged a second wireless router, shown in blue, into the first.

By doing this, you can see that there is one single wire connecting the entire blue network (the kids) to the green network. It was trivial to then configure the green router with appropriate access control and filtering for that one single device: the blue router.

Some quirky details

Home routers like these are, by default, configured with a NAT firewall. They work sort of like one-way mirrors: someone on the network can see out, but nobody can see in. As a result of this, the kids (blue devices) can see any device on the main router (green devices), such as our print server and the NAS device, but no one can see into the kids’ network.

As paradoxical as it seems, this is exactly what I wanted. By making the kids’ network a private network, it appears to the green router as a single device. When I am configuring access restrictions, I only need to control access for the blue router’s IP address or MAC address.

Many consumer-grade routers have flakey firmware that just doesn’t really behave well when you start doing things like turning on filtering for multiple machines. I simplified things by bringing down the number of controlled devices to one. In addition, if one were to try filtering on the IP addresses or MAC addresses of individual machines, this can be easily defeated by manually changing the IP address or MAC address. With my configuration, the MAC address being filtered is the blue router, locked away safely.

The Finer Points

If you want to set up a network like this, do the following:

• (Recommended) Reset the kids’ router. Hold the hard reset button on the router in while you turn on power; hold the button for 15 seconds or so.
• Hook the kids’ router up to a spare laptop using an Ethernet cable. (Turn off the wireless of the laptop for the time being).
• Use the laptop to navigate to the configuration web page (usually 192.168.1.1).
• Set the router’s own address to a different network from the main network, such as 192.168.2.1. This is critical.
• Configure the router’s gateway and DHCP server entries to all point to the main router (192.168.1.1). This tells the kids’ router to use the main router as a source for its DHCP lookups and such, rather than going to cable modem.
• Navigate to the configuration web page at the new address (192.168.2.1). You may need to close the browser and replug the Ethernet cable.
• Set up your wireless security for the kids however you like. Make sure to choose a different channel and SSID from your main router.
• Remove the laptop and plug the WAN port of the kids’ router into one of the LAN ports of the main router. Restart everything.
• Test both networks to make sure things work the way you think they should.
• (Optional) You might want to connect to the kids’ router and set it’s external IP address statically. Make sure that this is set to a number on the home network (e.g. 192.168.1.2).

Some notes:

• You can only maintain the kids’ router from a machine connected to the kids’ network; the home network cannot see the management screens. If you wish, you could enable remote management for the kids’ network only, since the main home router is still protecting the whole network from intruders.
• Computers on the kids’ network can see all devices, but they aren’t on the same network. This means that network printers and NAS devices are accessible, but you will have to attach to them using IP addresses. I was able to easily set up the machines on the 192.168.2.1 network to use a print server on 192.168.1.100.
• For machines that should have full access (a.k.a. yours), make sure that you either set the green network to be a higher priority or remove the blue network SSID entry altogether. I found out the hard way that my iMac would randomly pick the green or the blue depending on which one it saw first when it woke up.
• This does not wall off your main network; it simply provides a single point of control to the entire kids’ network. In other words, don’t depend on this setup to prevent malware on the kids machines from seeing your machine. You can, however, set up your PC to not trust the kids’ network.

Wireless Network Security

Regardless of how you set up your network, make sure you use at least WPA encryption (Never use WEP!). Make sure your passwords are solid.

Using DD-WRT on my new wireless router

In addition to the new network configuration, I went one step further and chose a main router that lends itself well to installation of open-source firmware. I ordered a Linksys WRT54GL from Amazon for a little over fifty bucks. I chose this one because, as a direct descendent of the venerable WRT54G, this router is very well suited for running alternative firmware such as DD-WRT, giving substantial control over things like, say, access control…

Within a half hour after my new router arrived, I had gone to the Supported Hardware page, obtained the latest build of DD-WRT, and replaced the Linksys firmware with the far-better open source code.

I won’t go into the specifics of installation here, but it isn’t very challenging. Check out the DD-WRT site for details.

Closing Thoughts

Make no mistake: we are responsible for whatever goes on our home networks. Just like your home telephone; if someone dials up some 900 number and rings up a thousand-dollar phone bill, the phone company won’t care a whit who did it, you will still pay. Likewise, regardless of who did the BitTorrent download, there is a certain degree of responsibility of the homeowner to lock down the network.

Another point: Without some degree of personal responsibility on the part of the kids in the house, this sort of activity would simply be an arms race of filtering and blocking versus hacking. My goal is to help keep the honest people honest and to make life more difficult for the viruses and malware.

Another issue altogether is the spam email that is carefully crafted to appear as if it has come from your bank, saying cheerfully “Your statement for May is available online, just click here to access!” … but whoever clicks will inevitably be providing their secrets to some ne’er-do-well in New Zealand who will promptly empty their accounts.

Here is a simple, quick, and free way to avoid phishing attacks as well as casual/accidental exposure to unwanted adult content.

OpenDNS

The service I am referring to is OpenDNS, a free domain name lookup service that you can use in lieu of your Internet Service Provider’s own DNS servers.

When your computer goes to a web site, the name of the web site must be converted to a numeric address, in much the same way that you use a telephone directory to look up a friend’s number.

This lookup service is typically provided by a server owned by your Internet Service Provider. The address to this server is automatically configured when your cable modem connects to the network the first time.

The way OpenDNS works is you change the Domain Name Server (DNS) setting in your router to now point to the OpenDNS servers instead of your ISP servers. By doing this, you have changed the default telephone directory used by your home network.

A Phone book with the Bad Numbers Missing

To take the phone book analogy further, imagine that in your new phone book, all of the phone numbers for shady businesses such as escort services and massage parlors have been replaced with a special number. When you dial that number, a pleasant older woman gives you a gentle scolding for trying to call such a business.

This is pretty much what happens with OpenDNS: when your browser asks for a page from www.naughtystuff.com, the OpenDNS server points you to a different place, a nice page from OpenDNS that says that the page is blocked and explains why.

One fix for your Entire Network

There are many options available for “net nanny” style software that can be installed on individual machines, such as the kids’ machine. These features are also embedded in modern versions of Windows and OS X. But, what about all of the little portable devices that find themselves into kids’ hands? How about their gaming consoles?

Since you configure OpenDNS at the network entry point to your home, the router, any device attached to your network is automatically covered.

Customizable Blocking

You can use OpenDNS without an account, just by pointing your router to their servers, but the real power comes when you register with them (for free) and make your own choices about what you want to see.

You can choose which parts of the Internet you don’t want to see using their online configuration tool. You can either use their “High/Moderate/Medium/Low/Minimal” options or you can pick and choose individual bits of stuff to allow or block.

Here’s a look at the categories available when you choose the custom blocking level:

Basic Setup (about 20 minutes)

• Configure your router to use the OpenDNS servers for DNS lookups.
• Create a free OpenDNS account.
• Install their small updater program on one machine on your network.
• Log in to your OpenDNS Dashboard on the web and configure your blocking settings to taste.

Why do you need the updater utility?

In order to provide the custom blocking, the OpenDNS servers need to know your main IP address assigned by your Internet Server Provider. The desktop utility simply informs OpenDNS of your new IP address if it ever changes.

What do users see if they go to a blocked page?

They see a page that indicates the site that was blocked, along with a short reason and a link they can click if they want access to the page. If they click that link and fill out the short form, you will get an email from OpenDNS with the user’s request.

The remainder of the “blocked” page is a search form with some sponsored links.

You can customize the message as well as the image shown on the web page. When someone reaches a blocked page in my network, they are greeted by a picture of our calico cat, Roxy.

Keeping the Honest People Honest

This approach to blocking unwanted web sites is not a complete solution for keeping your kids from where they shouldn’t go; it is more like a simple padlock: it keeps the honest people honest. A determined individual can easily get around this product using various techniques, but they have to make a conscious effort to do so.

The real strength of OpenDNS is that it helps avoid accidental exposure to unwanted web content and phishing sites.

Not everyone who works with documents in the home will run into this problem, but sooner or later you are probably going to find yourself in a situation where you would like to email someone a useful document that just happens to have your social security number embedded in it, or your full name and address, or some other info that you would rather keep private.

This process of editing documents to remove sensitive content is referred to as redaction—that’s the keyword you probably want to be searching for as you tip toe through Google for guidance.

In this article I discuss the obvious problems we face using the most naïve approach toward document redaction, and provide some resources for better options.

The only sure way

The only absolutely certain way of guaranteeing that you cut out secret information would be to print the document, physically cut out the bad bits, scan in the document, and send the scanned PDF to your colleague. This may seem a bit extreme, but if you were an anonymous tipster sending the media a document full of mob-related evidence, containing your name, you might go this route (You probably don’t want to send the email from your personal account. Try a throwaway email account at the library.)

Other options… Microsoft Word

Don’t even think about sending a raw MS Word document to your recipient. There’s loads of hidden stuff within those documents that you might forget. If you really must, you can look into some recommendations from Microsoft, and consider tools such as Microsoft’s free Office add-in for removing hidden data.

Danger lurking in PDF documents

Since my paperless life really revolves around PDF documents, this is the most likely kind of document that I would be sending via email. Unfortunately, PDF documents have even more hidden data within than MS Office documents. Many people have been burned when they tried simple attempts at obscuring parts of a PDF.

A Simple Demonstration

I started with a nice PDF of the Declaration of Independence.

Now, supposing that we needed to send this document to a colleague, but we must not reveal the name of the original signer, we might try opening up the PDF in our favorite PDF markup tool and slapping a big fat rectangle over the sensitive information.

Now, all is good. But the enemy is crafty and they exploit the huge flaw in our thinking: the information never left the document. All they need to do is copy and paste:

A quick copy/paste from the PDF viewer application to Microsoft Word lets the whole world see that John Hancock is to blame! Better let him know we slipped up so he can take appropriate actions.

This sounds trivial, right?

In February, the Associated Press was able to uncover the secret details of the Facebook/ConnectU settlement using this same technique.

Apparently, the U.S. military has been caught in the same trap.

Last year, Google founder Larry Page’s home address info was leaked in a similar fashion.

How about Scanned Documents?

Up to this point I was working with a document that had been printed to PDF, thereby preserving the document text perfectly.

What about a document that we scan in?

Here’s some honest-to-goodness missile plans…

This is an excerpt from a scanned copy of the U.S. patent for the venerable Sidewinder Missile, complete with a black square that I have added to obscure some special information.

As seen here, the copy/paste trick still worked.

But why does it still work? Because the document had OCR run on it in the past.

A brief look at Acrobat’s document inspector tool shows the hidden secrets:

All of the red text above is hidden text. The actual hidden text is displayed by itself in the box on the right side of the screen above. It isn’t very pretty, but it has all of the details.

Proper Redaction

If you are concerned about keeping your secrets secret, do a bit of research into the tools available. You want to be absolutely certain that you don’t pass along any more information than you intend to.

Adobe Acrobat Professional comes with tools to do just this, and I show their use here:

You can see that I have used a redaction tool to select scanned text. Acrobat is selecting the hidden text as well as the bitmap image of the page. Once I apply the redaction, you can see the result below:

Now when my enemy tries the old copy/paste trick, the stuff between 38 and said means is totally blank, as intended.

Summary

I covered a very simplistic form of redaction here as well as a very simple way of getting around someone’s naïve censoring. Don’t stop here. You should use your PDF editor to search the metadata and hidden text for any terms you don’t want made public. You may wish to strip all metadata from your documents.

This is a topic that has been covered in depth by many, particularly in the legal field. Here’s a few articles worth reading on the topic:

Control metadata in your legal documents (Microsoft)

Redaction and Metadata Removal eSeminar (Acrobat for Legal Professionals)

Redacting PDF files with Acrobat 8 (AcrobatUsers.com)