Slashdot Mirror
iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.
teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.
so now usb storage devices are required and issued to users.
Do not look at laser with remaining good eye.
I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
>In that case, I know it was absurd overkill ...
:-)
Why do you say that? If they really deal with sensitive (Top Secret - as you put it) information, it sounds justified...
Of course, they should also have disabled USB ports on machines on their network, but keeping the devices out is a good idea also.
A watch is much less conspicuous than a Furby on your wrist.
That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)
Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.
You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.
Hey, I pointed out their flaws and I was told to shut up.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
I carry 40GB in and out of my company every day - no need for USB drives!!
nonsense... I run a pretty secure net here (secondary school, HUGE threat from any teenager who just happen to think he is a XaxooR)... we got everything so locked down that we didnt have a single major incident for the last year =) And still, yes, portable USB devices are a threat... can't telnet from the school due to policies? just bring Putty on a memory stick... et voila! Therefore, it is not so much about network security, but what you allow people to do on the network... with the saaumption that any memory stick can contain software you DONT WANT inside your net.
http://www.automatiq.se
Most military bases have banned PDAs, USB Flash drives, iPods (and variants), cell phones, and any other device that can be connected to a computer and can store data. Some have even gone as far as removing diskette drives and banning CD-RW and DVD-RW drives on new systems. I have seen incidents where people decided to put classified military data on a flash drive or floppy to take it home to work on it. This happened even after people sign an agreement and go through repeated training sessions where they spell out what will happen if they do something like this.
Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?
Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Not in some movie - Cringley wrote about seeing a man walk into CompUSA, plug his 1st gen iPod into a mac there and drag the MS Office folders onto it. The article claimed (I have no idea how true it is/was) that Office will re-establish the system folder items necessary so this amounted to a perfect and complete copy of the software.
That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.
Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
True, but that's not the entire purpose.
.
Where I work (a DOD contractor) we can carry just about anything (except a camera). We are, however, required to register it with the security manager. In order to register it, you must give them permission to read the contents on the way into or out of the building. That allows them to maintain their illusion of safety while allowing employees to carry their preferred gadgets.
I don't know of anyone actually being searched, however . .
'I ain't a liar, baby, and I ain't proud I just want what I'm not allowed.' -- Violent Femmes, 36-24-36
Do corporations outlaw email because someone could smuggle an important corporate document through a simple email attachment? You can put a heck of a lot of info on a single freemail attachment in a text file, and / or use a corporate POP3 mailserver too. Do corporations also outlaw CD-Rs because they could be used to copy important data? Do corporations outlaw floppy discs? And, above all, do corporations give their employees a darned internet connection to begin with? What about the internet itself? If someone is truly paranoid about security, it'd be more effective to plug already existing giant holes in security, and completely strip their employees of all the fundamental tools of the information age. It's hard to prevent the exchange of information on the computer: after all, a computer is a device specifically designed for just that purpose, anyways. If someone goes through all the trouble to smuggle files on an iPod when he could simply PGP encrypt them over email, it would be an act of stupidity anyways. Conclusively, it's a bad idea banning the iPods from offices. -Foo
Because you can't always just assume that a hacker is stealing information every time, it's realistic to assume that someone in your organisation would give away information for the right price.
;)
The malware aspect though, from my viewpoint though is FUD, because (as far as I know), iPods and flash memory sticks don't run software when you plug them in. I could be wrong though. But I know people who have had 200+ spyware apps, and it's never happened to them. 200 isn't that much compared to some, but I've known him a few years, and being the only Open source guy he knows should give me some influence. Just remember, the weakest link is always the people.
And, for the record, my friend now had dumped IE, and moved to Firefox. It's offtopic I know, but I spent an hour browsing Secunia tonight, and set up a couple of the exploits (IE is vulnerable to all the ones I tried), so I know how easy it is to bring Malware onto a windows box. In short, I'm scared shitless, and anyone who brings in data from a source which hasn't been checked is just asking for trouble. Perhaps if the networks moved to a platform that was less truoblesome
It's my opinion though, that you can either trust an employee, or you can't. If you trust someone with the data, you should not worry about their iPod, or not trust them in the first place.
Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.
I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.
As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.
You say things that offend me and I can deal with it. Can you?
Of course, there was nothing stopping you from walking out the door with a laptop, with a 30GB hard drive.
In much the same way as the demise of Napster brought about the end of filesharing, banning iPods from work will wipe out corporate secret stealing. Nobody will ever think to tunnel data through SSH, copy data onto floppies, USB keychain storage devices, portable laptops, or magnetic tape. Surely, nobody will upload information to their Palm or Windows CE handheld devices; nobody will print out data and take it home; nobody will call someone on the telephone and read them data over the phone.
Man, they've sure got all their bases covered!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I had a similar problem. Boss was curious why I was switching out Compact Flash cards in a reader I brought. I told him I was copying parts of a small ISO of a linux distro I was going to try out at home.
I was asked by corporate security to remove it or have it removed. I turned right around and asked them "Do you give access to the internet in any way, shape or form?" of course they do. I then sited numerious free email sites and plenty of "X: drive" sites that let you store info central on their systems, also tossed in a bit of AIM/FTP/IRC file transfering for example. The execs were dumbfounded and had to call a few "heads of IT" and "techies" to confirm what I said.
Of course I was right and anyone in the company with internet access could easily upload any file and they would never see it. I was allowed to keep my CF reader/writer and they left me alone.
If a ban on static memory / portable drives is in place at your company then you have no business with one.
Of course, hiding the devices in hilighter pens and the handle to your coffee mug isn't too hard.
What the ban does is make all possession of these devices improper in the workplace.
What is the maskwork for your new chip worth? What is it worth to a competitor? How do you move the data?
If the two idiots at AOL and Vegas had scammed the userbase this way they might not have been caught.
Nope, the advent of portable RAM drives means that these devices will be used improperly.
OH, on a personal note: only a genuine geek has a USB watch. It will (eventually) wind up in that dresser drawer reserved for the calculator watch, the last 7 cell phones, 5 PDAs, pen cams, dead MtBlanc pens, old swag and $200.00 in odd pocket change.
We have a similar policy at my work. I even take my computer home with me (IBM T40) but some documents can not be opened without a decryption key from a keyserver (Authentica system). Makes working at home a pain, but hey. I can take my jukebox into work with me no problem (essentially a usb2 20gig hdd). But if I dare to bring my camera phone into the Lab areas (cube farm no problem) it's instant reprimand. 2nd offence is suspension w/o pay and third is term. (never heard of anyone being terminated though).
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
That day I wanted a tin foil hat lol.
My company works with the Bureau of Engraving and Printing (the folks who print the bills). The Bureau issues transparent vinyl purses and packs for employees to carry their lunch and belongings. This makes it easier to see whether somebody is walking off with sheets of un-cut currency.
We also worked with the US Mint (the folks who mint the coinage). They told a story about metal detectors tied to biometrics that were so sensitive that when a woman became pregnant, the changes in the metal chemistry of her blood (increased iron, etc...) were enough to have to retake the biometric scan. That one always seemed apocryphal to me (but a very cool concept nonetheless).
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Disable removable storage, disable addition of new devices by normal users. Presto. Now they can't tunnel their secrets out to their cell phone with a usb bluetooth adaptor either. However, wherever there is the ability to transmit information -- that's information in the theory sense, as in a single bit corresponding to agreed upon relevant data -- you're going to have covert channels. Short of sticking folks onto standalone computers in a faraday cage (i.e. SCI) you're going to have covert channels. Heck, even then if you personally trust the guy leaking the secrets, that info is carried out in the brain. Just that "take my word for it" isn't usually considered good intel (unless you're George W. Bush looking for WMD's)
I've finally had it: until slashdot gets article moderation, I am not coming back.
(except a camera)
;) This was after '96.
True story: a former supervisor took a Sony Mavica (uses a dos fmt floppy disk) onboard a ship with Soviet missles where he should not have and took pictures of them. When the rent-a-cop spotted this he asked that the pictures be deleted. My super handed me the disk and we did the old dos 'undelete' trick with Norton Utilitues and got the pictures back, no problem
try { do() || do_not(); } catch (JediException err) { yoda(err); }
USB / Firewire Devices / Cell Phones with Cameras / etc. etc.
- USB pen drives can quickly and easily store data without a trace and they are small enough to hide just about anywhere. A spammer was arrested in Ireland in a Internet cafe and the man tried to swallow the USB key drive. It contained all the spammer's software and mailing lists.
A PC in a corporate office could be booted up using a USB key drive and literally used to run hacker tools. (well same could be done with a CD-R but that's beside the point). It's faster and easier to slip a USB device into an office situation unless you are going to be frisked and metal detected or body cavity searched.
Hackers have been slipping XBoxes, Sega Dreamcast, etc. into an office and jacking it into the ethernet to perform network analysis and packet sniffing.
- Firewire devices like the iPod have tremendous storage abilities. It truly is a portable hard disk that masquerades as a personal music device. There was an article a while back where the author witnessed a kid waltz into CompUSA with an iPod and the kid jacked it into a PowerMac and stole a complete copy of Office X from the floor model!
- Phones with mini-digital cameras can be used like a 007 James Bond mini camera. A police officer was fired for taking a photo of a naked body in the city morgue with his camera phone.
As technology gets better and better and the costs drop, the spy toys of yesteryear are now in the hands of joe blow.
True corporate espionage is going on every day. These tools make it easier an easier to steal data. Security folks who see the threat and take measures against it are enlightened. However, all security measures can be bypassed one way or another.
I am not even sure if there is a way to restrict USB/Firewire drives from working on a PC as long as it's running Windows. Seriously doubt many companies have thought about these issues.
I do know my company had the opportunity to give everyone a CD burner on their computers. This would have been ideal for user backups. But they sighted security as the reason why they did not.
Wow. Whoever marked this as "insightful" needs to take off their Bondi Blue glasses.
You guys do know that the minute an employee enters a "secure" network, they're pretty much clear to do whatever they want, right? The security is on the perimeter: getting in is the hard part. If employees needed to type a password for every keystroke, they're be a mass-exodus of white-collar workers.
I'm not saying conditions like that don't exist. I'm sure the computers that run missles and the like have multiple passwords that have to be entered all the time, but the average worker isn't going to be subjected to something like this.
Now, disable USB drives from being connected hardware-wise: that's an idea. Not sure if there's a way to do that in software, but I'm sure there's a way in the BIOS.
hehehe.. yeah, I remember my counter-intel classes going over that stuff. It gives you an idea of just how unsecure things are if smart people with resources decide to make things otherwise.
MASINT was another really cool area if you are interested in exploring the uses of technology.
In my first novel, "Shining Star," (released under a Creative Commons license, free download at http://pedrovera.com/media/shiningstar.pdf ) a soon-to-be defector carried a bunch of classified material out of a NOC by using his iPod as a firewire drive. He was one of the NOC techs, so he was expected to be in the equipment rooms messing with hardware.
He would go and swap some tapes, then run a psync from a server into the iPod. He did this a few times and did not get caught.
Pedro
----
The Insomniac Coder
I'm not yet sure if it's going to fall into the category of "absurd overkill," but at my workplace (a large FDA-regulated manufacturing and research facility), we've just disabled USB support entirely on the machines comprising our HVAC distributed control system. The reasons behind this are partly due to, first, questionable processes of vendor-support technicians using their USB thumb-drives to move system configuration files around from one network instance to another (which is perfectly reasonable and needed sometimes, it's just that they're doing it ad hoc without supervision and, under FDA regs, this raises the questions of 'how much control do we really have over our system?' and 'has the system's "validated" state been disturbed by this laxness?'), and second, as far as we've been able to tell, the anti-virus software we use doesn't automatically scan, say, thumb-drives when they mount (though it really seems that it should, and I still need to do some investigation there in my copious free time).
On the side of the argument calling it all "absurd overkill" - this clamp-down just makes it that much more inconvenient for people using the system to do their job, while not really tightening security up that much, since most people who have access to the system in the first place can figure out plenty of work-arounds. (Hell, part of my job is figuring out those work-arounds - it's why they pay me the Big Bucks(TM), (yeah, right).)
During the 70's, the Soviets bought a hunting cottage that was within line of sight of two AT&T microwave transmission towers. These towers were the long-distance telephone link between Silicon Valley and a number of US Gov't facilities, like Edwards AFB and various national labs.
The Soviets were able to record almost every telephone call made over those lines for about 6-7 years!
Now while the Soviets are gone, plenty of other groups, including competing companies, poking their eyes and ears where they do not belong.
Conformity is the jailer of freedom and enemy of growth. -JFK
The reason USB keys and other storage devices are frowned upon is that in use, someone can very easily put something FOUO, Secret, or just generally private on a key on accident. (We have CD Burners in our computer and this type of thing happens ALL the time w/ cd burners. let alone the easy of USB keys.)
I do security
Plenty of corporations are having a hard enough time rolling out security patches out to the machines on their network using a remote console (ie, can hit all those machines from one location). How likely would it be that they'd *physically* get to *each* machine, change the BIOS to ensure that it disables the USB ports and lock the BIOS?
Even outside of that logistic nightmare, you'd have to remain vigilante for new/old machines.
But even if you do get a draconian policy in place, what stops a spy from cracking open one of the cases and using the little jumper to "reset" the BIOS?
Maybe for ultra-small organizations this would make sense to try and do. But if you're in that small an organization, you have other easier methods of protecting your data.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
My company does digital camera chips and firmware. We were bought by a company that had a "no personal storage devices" policy.
Every person's desk has at least one card reader and a drawer full of CompactFlash, SmartMedia and SD cards.
They bought another company that relies on storage cards & moved 'em to the main office so this violation of the employee manual is happening there too, giving the verbal amendment (Director-level people saying "don't worry") to the employment contract more teeth. It would be hard to fire someone for a violation with 20 other violators going free.
The same Charleton Heston that said he didn't like AK-47s? That guns like that made him "nervous"?
Charleton Heston is the President of the NRA, but the NRA is by no means the steadfast defender of guns and gun rights that the media tries to portray him as.
Check out www.nrawol.com for more info on this.
The sea changes color, but the sea does not change.
It's true. The installation process for Office on a Mac consists of one step: "Drag this folder to your Applications folder."
As much as I hate to admit it, Microsoft's Mac team is pretty good.
irb(main):001:0>
What if the contents are encrypted Or 'just' in a non-human-readable format? Would a security guard know the difference?
What if the device has a non-standard interface (physical or software)? Does the guard have every conceivable adapter?
Yea that's a good idea about the camera. Intel thought they had the most secure system in the world. No removable media. Only one workstation contained the data. And it wasn't networked. On top of that it was in a secure location. So the thief on the inside brought in his camera and took a picture of the screen....hit page down....take a picture...hit page down.... Low tech but it smuggled all the designs for the Pentium chip out and over to China.
Excellent and well done. Only wish I had the mod points.
:)
Although, I don't know which was funnier: your subtle humor or the person who modded your joke up as "Informative"
The
The policy described is sane, but dated. While I will be willing to bet that prohibiting iPODs might address a specific concern, it's likely that there exist dozens of other avenues to obtain and then store or transmit "sensitive" information. After all, as an employee, you are likely privy to all sorts of information that could be valuable and captured in some fashion (even if it's by jotting some access keys onto posti-it notes).
The problem is that we are asymptotically approaching the point where information stored is information public. Devices for storing and transmitting information are becoming more powerful, cheaper, easier to use, and less intrusive (think an optical microphone where you can listen to a conversation in a building from across the street).
What would we do if we suddenly all became telepathic and read each other's thoughts? What would we do if all the world's data was on the Internet, available to anyone that knew where too look for it? The latter is rapidly evolving into the truth -- think where we were only 10 years ago.
A security procedure that depends on stopping the importation of information gathering devices is one that's woefully incomplete (and basically useless if you want to stop someone malicious). It may reduce the amount of "stupidity-based" data dispersion, but that's all.
The key is to not keep secrets. If you have to keep secrets, don't rely on machines to do it -- if a machine can transmit or display it, someone else acan receive it or see it. If you keep secrets, you better not let anyone see them or touch them. One person with an eiditic memory is a greater liability than any mechanical recording device.
Security must always be judged on a scale. How sensitive is you information against what your are willing to pay to keep it secret. Even naked people working in a plexiglass room could figure out a way to work the system.
Another solution for smuggling a thumb drive into a secure area. Slip a thumb drive into a pocket in a steel toed boot. The steel should block any x-ray detection of the device. Kick your shoes off while you work and deftly slip the device into the back of the PC with your toes (not visible on most security cameras). Spray on a little extra 'foot funk' in you think that they are on to you and wanting to check your shoes.
Another thought, most new machines (with unlocked BIOSs) can boot a USB device. Now rather than trying to sneak your HackMaster 7000 past security, your can load all your apps on your USB key, boot up and hack away on your employer's machine.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
Not so. By limiting as many avenues of exploitation as possible, you can concentrate more time & energy on other, harder to control methods by which a Bad Guy can hurt you (e.g. background checks, physical security).
:)
It is for this reason that the comment on thin clients is wholly apropriate.
Another angle which you may not have considered is this: A company is responsible for safeguarding its data for the sake of its investors, right? So that company is required to take all reasonable steps to prevent theft of data, etc., under which category "not allowing anyone and everyone to carry around devices capable of storing data" certainly falls. In case you have not already, I recommend you pick up a book or take a seminar on risk management so you can see this from your employer's point of view.
All I'm saying is, there are issues which definately trump your desire to rock out on your way into the building
Our $OUTSOURCED developers are all but strip-searched each day. Also, we don't allow them to see any code. Sure, they can't do any work, but oh boy are they cheap.
If you haven't worked in Dilbert land, you may think I am joking. Oh, how I wish that I was. It's laughable; if they really want to swipe things, they could stick a flash reader in their sock. We can't stop them. But what's important is that we've shown that we don't trust them. That's the kind of lesson that really sinks in.
If you were blocking sigs, you wouldn't have to read this.
We are, however, required to register it with the security manager
I could tuck one of the USB sticks in my tie and no one would ever notice. Half the women in the place could have one in their purse next to the lipstick.
Wake me up when policy starts taking reality into account.
+++ATHZ 99:5:80
Why would they complain legitimately? Most people really only see HTTPS for things like webmail and shopping online which most of the people in a normal organization should not be doing on company time anyway. If you start seeing legitimate exceptions, you allow *those* exceptions, but not everything.
Sorry. Been there, done that from the user *and* admin sides. It tends to work quite well.
Everything I need to know I learned by killing smart people and eating their brains.
Now, if any more planes crash into buildings, it will be because the terrorists already have a plant in the cockpit (i.e. a pilot with an agenda), or they will charter a private plane or hijack a cargo plane by outnumbering the crew. Unfortunately, we don't hear much about the TSA's work to prevent those types of disasters.
Incidentally, a man with an axe and a knife nearly successfully hijacked a FedEx cargo plane, with the intention of crashing it into one of their primary hub centers. Had that been successful, our cargo transport industry would probably be a lot safer by now.
This is the first rule of Security-101. Only you don't really need spies. You only have to make the users think you have them.
Years ago the mainframe operating system (OS/360 MVT) had several known exploitable flaws. The system admin at a large university would walk around the computer labs with a thickish print-out. He would stop behind someone, look over their shoulder, flip to a page in his print-out, and say something like, "Well Collins, I see you finally got past your compiler error on assignment #3. Good job!"He never showed his "print-out" to anyone, so no one ever knew exactly how much or what kind of data he had. It turns out that it was just the raw data for the weekly system usage reports, but no one was willing to risk getting caught doing something dicey.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
I've wondered about this. I'm a student right now but I've been thinking, when I eventually venture into the big bad world and get a job in Natural Language Processing, I'll use the stuff that I learned in college to do stuff at my job. No doubt I'll pick up stuff from working too. When I eventually move on to an other job in the same area, I would probably use my knowledge from college and my previous job.
Is it tricky for IT guys to avoid copyright infringements? It's probably a non-issue but with all these IP court cases I just started wondering, where does the line fall between applying your knowledge of a certain subject to do your job and ripping off the IP of the previous company that you worked with?
I guess that a company that didn't trust it's employees would be very concerned that basically everything can go home on an iPod. But I don't work in one of those places.
I did some DoD work (not U.S. DoD btw, another country), for someone I'll care not mention, but I found it amusing that they didnt allow all sorts of things like floppy disks etc in, while having a ridiculously insecure wifi lan.
I believe its fixed these days, partly because a few of us kinda grabbed the head civvy dude there and demonstrated how we could crack the network in minutes. Kinda spooked em a bit.. But hey, at least the grunts there couldnt 'steal' email to read at home on floppy disks (or whatever the hell they where paranoid about.)