Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Intel Operating Systems Privacy Security Software

Researcher Finds Another Security Flaw In Intel Management Firmware (arstechnica.com) 87

An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).

If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."

Researcher Finds Another Security Flaw In Intel Management Firmware

Comments Filter:
  • by ArtemaOne ( 1300025 ) on Friday January 12, 2018 @05:15PM (#55918183)

    Totally different things. I imagine they find software and firmware vulnerabilities all the time. Hardware is difficult to patch around, and obviously comes with the noteable performance hit.

    • by Anonymous Coward on Saturday January 13, 2018 @12:01AM (#55920199)

      Change log:
      2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

      Intel CPU Backdoor Report
      The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

      What we know about Intel CPU backdoors so far:

      TL;DR version

      Your Intel CPU and Chipset is running a backdoor as we speak.

      The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

      30C3 Intel ME live hack:
      [Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
      @21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

      [Quotes] Vortrag [events.ccc.de]:
      "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

      "We can permanently monitor the keyboard buffer on both operating system targets."

      Backdoor removal:
      The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
      Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

      2017 Dec Update:
      Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode [ptsecurity.com], use me_cleaner [github.com]me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit [github.com].

      Decoding Intel backdoors:
      The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

      If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

      Useful links (Added 2018 Jan 1):
      Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode) [ptsecurity.com]
      me_cleaner: Set HAP AltMeDisable bit with -S option [github.com]
      Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine [blackhat.com]
      EFF: Intel's Management Engine is a security hazard, and users need a way to disable it [eff.org]
      Sakaki's EFI Install Guide/Disabling the Intel Management Engine [gentoo.org]
      Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws. [zdnet.com]
      CVE-2017-5689 [cvedetails.com]: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
      CVE-2017-5705 [cvedetails.com]: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
      CVE-2017-5706 [cvedetails.com]: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware
      CVE-2017-5707 [cvedetails.com]: Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware
      CVE-2017-5708 [cvedetails.com]: Multiple privilege escalations in kernel in Intel Manageability Engine Firmware
      CVE-2017-5709 [cvedetails.com]: Multiple privilege escalations in kernel in Intel Server Platform Services Firmware
      CVE-2017-5710 [cvedetails.com]: Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware
      CVE-2017-5711 [cvedetails.com]: Multiple buffer overflows in Active Management Technology (AMT)
      CVE-2017-5712 [cvedetails.com]: Buffer overflow in Active Management Technology (AMT)

      Useful links (Added 2017):
      The Intel ME subsystem can take over your machine, can't be audited [ycombinator.com]
      REcon 2014 - Intel Management Engine Secrets [youtube.com]
      Untrusting the CPU (33c3) [youtube.com]
      Towards (reasonably) trustworthy x86 laptops [youtube.com]
      30C3 To Protect And Infect - The militarization of the Internet [youtube.com]
      30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software [youtube.com]

      1. Introduction, what is Intel ME

      Short version, from Intel staff:

      Re: What Intel CPUs lack Intel ME secondary processor? [intel.com]
      Amy_Intel Feb 8, 2016 9:27 AM

      The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

      Long version:

      ME: Management Engine [libreboot.org]

      The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

      The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).

      The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored.

      ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include "ME Ignition" firmware that performs some hardware initialization and power management. If the ME's boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.

      Quotes on Intel backdoors:

      A message from RMS [fsf.org]
      by Richard Stallman on Dec 29, 2016 09:45 AM

      The current generation of Intel and AMD processor chips are designed with vicious back doors that users cannot shut off. (In Intel processors, it's the "management engine".)

      No users should trust those processors.

      2. The backdoor is next to impossible to decode and reverse engineer:

      Due to multiple instruction sets + custom compression algorithm.

      The Trouble With Intel's Management Engine [hackaday.com]

      While most of the firmware for the ME also resides in the Flash chip used by the BIOS, the firmware isn't readily readable; some common functions are in an on-chip ROM and cannot be found by simply dumping the data from the Flash chip.

      This means that if you're trying to figure out the ME, a lot of the code is seemingly missing. Adding to the problem, a lot of the code itself is compressed with either LZMA or Huffman encoding. There are multiple versions of the Intel ME, as well, all using completely different instruction sets: ARC, ARCompact, and SPARC V8. In short, it's a reverse-engineer's worst nightmare.

      To break the Management Engine, though, this code will have to be reverse engineered, and figuring out the custom compression scheme that's used in the firmware remains an unsolved problem.

      But unsolved doesn't mean that people aren't working on it. There are efforts to break the ME's Huffman algorithm. Of course, deciphering the code we have would lead to another road block: there is still the code on the inaccessible on-chip ROM. Nothing short of industrial espionage or decapping the chip and looking at the silicon will allow anyone to read the ROM code. While researchers do have some idea what this code does by inferring the functions, there is no way to read and audit it. So the ME remains a black box for now.

      3. The backdoor is active even when the machine is powered off:

      Intel rolled out something horrible [hackaday.com]

      The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we can't even look at the code.

      4. Onboard ethernet and WiFi is part of the backdoor:

      The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system

      If your CPU has Intel Anti-Theft Technology enabled, it is also possible to directly access the backdoor from cell towers using 3G.

      5. The backdoor uses encrypted communication:

      https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT [wikipedia.org]

      AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall. In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC

      6. Recent backdoors run Java applets

      *3 billion devices run Java* because everyone's motherboard is running it.

      https://en.wikipedia.org/wiki/Intel_Active_Management_Technology [wikipedia.org]

      Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System.

      7. Possible attack vectors from Intel/CIA/NSA (who holds the certificate):

      Cross-Device Attack Vectors:
      1. Obtain CA Cert trusted by ME > Broadcast DHCP announcement with domain name matching the certificate > Ethernet-Port > CPU backdoor (No exploits required, still works when system is turned off)

      2. Insecure mobile > Broadcast wireless magic packet (CA cert broadcast) > On-Chip-Wifi/On-Chip-Intel-Wireless-Display > CPU backdoor (Only a backdoored mobile is required)

      Other Attack Vectors:
      3. Cell tower broadcast > Intel Anti-theft technology (On-Chip 3G receiver) > CPU backdoor

      4. Zero day browser exploit > Powershell > Intel AMT > CPU backdoor

      8. Backdoor inside a backdoor

      For years Intel acted as if they weren't simply selling spy gears for the US government, but the Vault 7 leak forced them to come out in the open. On May 1st 2017, Intel released a "Critical" security bulletin INTEL-SA-00075 [intel.com], admitting Intel Core CPU from 1st gen to 7th gen (2006-2017) all share the same critical vulnerability:

      CVE Name: CVE-2017-5689
      Impact of vulnerability: Elevation of Privilege
      Severity rating: Critical
      Original release: May 01, 2017

      There is an escalation of privilege vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.

      Intel created a backdoor in the ME built-in web server authentication by using strncmp() to compare password, anyone sending an empty string as password with a length of 0 can get straight into the system, with no access log on both Intel ME and the OS:

      The hijacking flaw that lurked in Intel chips is worse than anyone thought [arstechnica.com]

      The bug was in the code to compare the two passwords. It used the strncmp function that compares the first N characters of two strings:
      strncmp(string1, string2, N)

      Sending an empty password, the compare code does this:
      strncmp("6629fae49393a05397450978507c4ef1","",0)

      Which is equivalent to:
      strncmp("","",0)

      And always return true.

      Many vulnerable systems were found exposed to the internet:

      The hijacking flaw that lurked in Intel chips is worse than anyone thought [arstechnica.com]

      A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone.

  • by ELCouz ( 1338259 ) on Friday January 12, 2018 @05:18PM (#55918203)
    I hope heads will roll...but like always...never happens! I could even imagine an increased sales for the new generation of Intel processor with the meltdown flaw fixed. smh
    • These are programming flaws. Programmers are never held accountable for anything. Every time something like this is reported folks on here make up every excuse why it's not the fault of the programmer.

      Watch.

      • How is this even a flaw?
        It's a case of default state + physical access == ownership.
        This is nothing new at all.

        • by ELCouz ( 1338259 )
          Agree this is not a flaw but talking about Intel design in general...we haven't heard any good news about AMT , Intel CPU design and the whole Intel Press Relations in denial.
          • I don't particularly see this as bad engineering even.
            The thing ships disabled by default and with a default local only pwd to enable it OR lock out other access.
            It can be disabled in the BIOS (and then the BIOS pwd activated) as well.
            The config guide even says setting the password is a non optional step in any multi user/multi access environment, or you can get a sku where it's not even available.

            no different than leaving the BIOS unlocked. I could boot a USB device that installs a rogue bootloader on the

          • Here's the good news about AMT and vPro: You can spend $30/system to have vPro on it, you can mass-configure with software Intel provides for free (but you need to buy a signed certificate specifically for AMT provisioning that matches your DHCP's DNS suffix for it to work), and then you can remotely reboot provisioned hardware from ISO images to reimage hardware from anywhere in the world, if you have granted access. It just needs to be on your network, and this includes notebooks that are wireless only.

            • by ELCouz ( 1338259 )
              I don't know why you are in defensive posting. Never talked about flaws. Just the whole AMT is a fiasco because it has no use outside work environment yet imposed on consumer products WHICH most will never update the AMT firmware because they don't know how. If you followed Intel in the past two months you will know what I'm talking about. I'm not talking about BIOS or default user/pw value there.
    • I guess using shit that incompetent admins spent extra money for and then left wide open by never configuring is now Intel's fault? This is the manual single-machine way to provision AMT / vPro. The only way this is a "flaw" is because the monkey in IT either didn't know what they were buying, or didn't bother to actually use what they were sold. By the way, once AMT / vPro are configured in any way (and if the admin of a machine is at all smart, they are doing this through a software provisioner when in

  • If you have physical access you can do anything...
    • If you have long term physical access you can do anything...

      FTFY. by the sound of this flaw, the amount of physical access needed is negligible.

      Think about all the times you step away from a live PC every day; if the amount of physical access needed is trivial (say, 2 seconds to plug in a flash drive and let a script run), a bad actor masquerading as the maintenance guy could easily compromise every machine in your office in the time it takes to get a fresh cup o' Joe.

      • by HiThere ( 15173 )

        To me it sounds more like 5 minutes to half an hour. But it also sounds as if there is no recovery.

      • Or you could just have the IT guy provision it when he does all the other crap to the machine before it's deployed, and it's no longer a concern. Also, in addition to being immune to this "flaw", you get the remote administration and monitoring advantages of AMT! How about that!

    • by Lunix Nutcase ( 1092239 ) on Friday January 12, 2018 @05:39PM (#55918307)

      Not if the system wasn’t left open with a weak password default.

    • by AHuxley ( 892839 )
      Recall the TAO CPU logo slide from the https://leaksource.wordpress.c... [wordpress.com] and the role of Tailored Access Operations.
    • by green1 ( 322787 )

      Do you require a password to log in locally? If so, why? after all, if someone has physical access they can do anything anyway, so why bother?

    • by DeBaas ( 470886 )

      If you have physical access you can do anything...

      In this case if you have physical access you can enable remote access and hide it. Anyone that handled the system before it arrived at your site and was placed in the rack could have done that.
      Obviously it can be remedied by disabling it yourself, but I'm pretty sure not many companies are already doing that.

  • by El Cubano ( 631386 ) on Friday January 12, 2018 @05:33PM (#55918277)

    If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password

    So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.

    Now, you might argue that it should be more like keyless entry for an automobile: the manufacturer sets a code a and provides you a device (key fob) for entry. However, if Intel did that, they would be accused of making their products difficult to use or crippling them (because people would certainly lose their AMT key fobs and Intel would either be unable to recover them, or would charge a fee for the service) or taking advantage of the user (because they would certainly lose the key fob). Plus, that would make it an absolute nightmare for central IT, the target audience for this particular feature.

    The point is that if you are buying machines that have this capability, then you are buying mid-range to high-end business/professional stuff. AMT is not available on entry-level and most consumer gear. Besides, the people who don't bother setting the MEBx password on their systems (assuming they don't have central management through IT) are probably the same sort of people who buy a wireless AP, turn it on and leave the password set to the default and the admin function accessible over the wireless interface.

    Intel has problems, but this one is definitely way down on the list.

    • by CanHasDIY ( 1672858 ) on Friday January 12, 2018 @05:45PM (#55918341) Homepage Journal

      I've worked in the IT field for 15 years - in academia, for financial institutions, for Fortune 500 companies, and at small, locally owned businesses.

      You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.

      You can show your C-levels the lock and hand them the key, but you can't make them set the latch.

      • Equifax

      • You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.

        You can show your C-levels the lock and hand them the key, but you can't make them set the latch.

        Absolutely! Except there is going to come a point in time where a concerted effort by a small nation-state sponsored groups will be able to completely destroy corporate giants overnight. When they see empires around them begin to fall they will either start caring or become a casualty of cyberwarfare.

    • by InvalidsYnc ( 1984088 ) on Friday January 12, 2018 @06:06PM (#55918447)

      I think the main point is that people don't realize that they have a "lock" that they need to change the combination on. Perhaps with additional education people can "check their sh*t" and see if it needs to be changed. Then the bad actor can just look under their keyboard for the PW, but at least it won't be "admin" anymore.

    • by eddeye ( 85134 ) on Friday January 12, 2018 @06:28PM (#55918591)

      So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.

      Bad analogy. The difference here is once the attacker turns on remote monitoring, it occurs silently. There's no indication that it's happened and no way to recover. If you forget the combination to your safe, then 1) it's obvious and 2) you can still retrieve the contents in other ways.

      This is not just a case of "stupid user". It's a poor design on Intel's part. Intel handed them a loaded shotgun with a hair trigger pointed directly at their foot.

    • Apparently it's now a "flaw" with Kwikset, Schlage, Yale locks if I don't turn the lever on the inside to the 'lock' position. These lock manufacturers must do something about this immediately!

    • I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing.

      And what about when you buy a new electric frying pan? Do you remember to change the default factory passcode for one of your own? Or do you not even realize that your new frying pan has a passcode that needs to be set?

      The latter is the situation with a huge number of PC buyers.

    • So, the "flaw" is that the user forgot to set the lock?

      No, the flaw is that there is an extra subsystem living within the CPU which is enabled by default, whether you want it or not, listening on all your network ports and waiting for someone to come along with the default password and take over the system.

      If the system had to be enabled manually by someone with physical access (and the BIOS password, if one is set) then it would be reasonable to expect the administrator to change the access codes. The same applies if the remote management capability were the p

  • Shouldn't AMD benefit from this long term?
  • Millions of devices ship with default passwords. It is an issue only if it is not possible to change it, and the need to change is not clearly explained when it was shipped. Ideally it should not be the same password for all devices but something unique to each chip, given to the manufacturer as part of shipped chips.
  • by Anonymous Coward

    Over the last few months, we've come to know that:

    1) For years Intel has put a backdoor in hundreds of millions of CPUs, called "Management Engine"

    2) That the aforementioned backdoor, besides being evil in itself, is also full of bugs

    3) That their CPUs, because of some mentally diseased architectural features, somehow allow javascripts from a browser to read kernel memory, something that would have been inconceivable until a decade ago

    4) ... and finally that Intel doesn't even want to refund customers for a

    • by HiThere ( 15173 )

      You are conflating intentional evil with unexpected problems. Both happened, but in separate incidents. E.g., the bugs in the management engine were unintentional.

      Point 3 is unfair. You are describing Spectre, not Meltdown, and nobody expected Spectre. Intel (and others) had reason to expect Meltdown.

      Point 4 is also unfair, but much less so. There's no way that Intel could replace the chips that are causing problems. Some of them come from discontinued lines of manufacturing, and many of them can't b

  • by sheramil ( 921315 ) on Friday January 12, 2018 @06:30PM (#55918611)

    can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu...

    How do you bypass the BIOS password if you can't get to the BIOS boot menu, because you don't have the BIOS password? I don't think "brief physical access" covers "opening the case and pulling the CMOS battery".

    • How do you bypass the BIOS password if you can't get to the BIOS boot menu, because you don't have the BIOS password?

      That is what is expressly addressed by this "vulnerability". You don't need to enter a BIOS menu to access MEBx, and if you have remote administration enabled in AMT you don't even need to be at the computer. Yet from there you can specifically change BIOS settings.

  • by Anonymous Coward

    Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.

    Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software like the unistaller for it & DisableAMT

  • by Anonymous Coward

    Russia invests enormous resources into making their own Elbrus chips which are based off of MIPS architecture. They are certainly lagging a few generations from the fastest process technology, but that's what you got to do if you don't want to have NSA backdoors in weapons systems: https://en.wikipedia.org/wiki/Elbrus_(computer)

  • Rule 1 of security. Physical access trumps everything else. So you can't claim finding a defect that can be exploited physically is a breach. For that matter, someone could start plugging things into the motherboard. This just a lot of stupid hoopla. Everyone in OpenSource knows the REASON Open Source works is to bypass security through obscurity. Open Source DOES NOT and WILL NEVER (and neither will any security system) foil physical access 100% of the time. As for this - I've never even seen this option i
  • I find it hard to get worried about an exploit which requires physical access to the machine because if a hacker has that it pretty much means it doesn't matter what you've done and whether or not an exploit exists they're going to be able to get access to your data. Once a hacker has physical access to your machine it is pretty much game over.

"Take that, you hostile sons-of-bitches!" -- James Coburn, in the finale of _The_President's_Analyst_

Working...