You Never Know When…

Posted in silva, mobile, blogging, blog traffic, smartphone, scams by psilva on April 28th, 2016

An old article gets new life. #TBT

Back in 2012 I wrote an article titled Bait Phone. It was about cops dropping mobile phones with a tracking device and following the stealing culprit for an arrest. Like Bait Car but with a smartphone.

Over the weekend, I noticed that the article was blowing up but couldn’t figure out why:

428bait.jpg

I even tweeted out on Monday:

baittweet.jpg

At the time, I didn't realize something else was at play.

Then I decided to do a twitter search:

bait_tw.jpg

And found that a video with the same name as my blog post was trending: Bait Phone 2 - basically a stun gun with a remote. Over 2.2 million YouTube views in less than a week. It’s a prank video where they have a remote zapper to sting the culprits when they grab & walk away with the phone. One guy - who had it in his pocket - denied taking it until he was personally shocked.

When I did a Google search over the weekend, my article was still at the top but now the article is like #13 listed (maybe even lower) and the video has taken the top spot.

But you never know when an old article might pop due to some other circumstances. At least folks are reading it and not totally bailing!

Fun stuff.

ps 




The Dangerous Game of DNS

credit-card-perspective.jpg

The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

And because of that, DNS is a precious target and only lags behind http as the most targeted protocol.

DDoS-ing DNS is an effective way to make the service unavailable. As the flood of malicious DNS requests hit the infrastructure, the service can become unresponsive if there is not enough capacity. Organizations can add more servers or turn to their cloud-based security provider for help. One of the strategies cloud-based security providers use to shield DNS is DNS redirection. Cloud providers will divert incoming traffic to their own infrastructure, which is resilient enough to detect and absorb these attacks. The success of this strategy however depends on how well the website's original IP address can be shielded. If the bad guy can find that IP address, then they can get around the protection.

So is DNS redirection effective? Researchers decided to find out.

Scientists from KU Leuven in Belgium built a tool called CLOUDPIERCER, which automatically tries to retrieve websites' original IP address, including the use of unprotected subdomains. Almost 18,000 websites, protected by five different providers, were part to the team's DNS redirection vulnerability tests. In more than 70% of the cases, CLOUDPIERCER was able to retrieve the website's original IP address - the precise info needed to launch a successful attack.

Researchers did share their findings with those cloud-based providers and have made CLOUDPIERCER freely available for organizations to test their own DNS infrastructure.

In another DNS scam, a new version of the NewPosThings PoS (point of sale, not…) malware is using DNS rather than http/https/ftp to extract data from infected PoS terminals. This is an interesting twist since most security solutions monitor http/https traffic for suspicious activity. Anti-virus doesn’t necessarily watch DNS and admins cannot simply turn off DNS since they need it to resolve hostnames and domains. Seems like a clear shot.

The newest version of NewPoSThings is nicknamed MULTIGRAIN and it only targets (and infects) one specific type of PoS platform: The multi.exe process, specific to a popular electronic draft capture software package. If the multi.exe process is not found the malware moves on. Once inside, the malware waits for the Track 2 credit card data and once it has the data, it encrypts and encodes it before sending to the bad guy via a DNS query.

The use of DNS for data exfiltration on PoS devices is not new and shows not only how attackers can adjust to different environments but also, that organizations need to be more aware of their DNS traffic for potential anomalies.

BIG-IP could also help in both instances.

For the redirection issue, BIG-IP or our Silverline Managed Service offers Proxy mode with DNS redirection. With Routed Mode, we offer BGP to Silverline then Generic Routing Encapsulation (GRE) tunnels or L2VPN back to the customer to mask the original IP address.

For the PoS malware, BIG-IP can utilize a DNS response policy zone (RPZ) as a firewall or outbound domain filtering mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain and each RRset includes the names of the malicious domain and any subdomains of the domain.

When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist or return a response that directs the user to a walled garden.

rpz1.png

BIG-IP returns NXDOMAIN response to DNS query for malicious domain

rpz2.png

BIG-IP forwards DNS query for malicious domain to walled garden

DNS is one of those technologies that is so crucial for a functioning internet, especially for human interaction. Yet is often overlooked or seems to only get attention when things are broken. Maybe take a gander today to make sure your DNS infrastructure is secure, scalable and ready to answer each and every query. Ignoring DNS can have grave consequences.

ps

Related:




You’re Getting Under My (e)-Skin

Posted in f5, cloud computing, silva, application delivery, big data, iot, sensors, wearable by psilva on April 20th, 2016

utokyo.jpg

Imagine if the temporary tattoos that come in a box of Cracker Jack (if you’re lucky) had an electronic display logo that lights up when you put it on. Or a fitness tracker that you tape to yourself rather than wearing it around your wrist. Or a watch so thin that it lights the time while blending into your skin. Or even, a sensor that can be applied directly to an organ to determine health.

This is the future for electronic skin. Yup, I said it: E-Skin.

Researchers in Japan have developed an ultra-thin and ultra-stretchy material that can mimic the flexibility of human skin. Ultraflexible organic photonic skin is an organic polymer with light-emitting diodes (PLEDs) or small sheets of energy-efficient lights that are laminated right on the skin. These are intended to equip the human body with electronic components for health-monitoring and information technologies. These are transparent but when powered with electrical pulses, it’ll emit a colored light, number or letter depending on the implementation. The arrangement of PLEDs can also display more complex information. They also report that this PLED film produced less heat and consumed less power than previous e-skin samples.

The interesting thing here is that they used organic materials, added an extra layer of film to protect it from oxygen and water, so it lasted several days. Past organic efforts lasted less than a day due to air exposure. Today, non-organic materials used to make super-thin tattoo-like monitoring devices can last weeks or longer.

These advancements will only fuel the health care wearable market which is growing exponentially.

HCW-16-chart.jpg

Research firm Tractica released findings from its report ‘Wearable Devices for Healthcare Markets’ that show worldwide shipments of healthcare wearables will increase from 2.5 million in 2016 to 97.6 million in 2021…or $17.8 Billion in yearly revenue. The general wearable device market will increase from 85 million units in 2015 to 559.6 million units by 2021 - a compound annual growth rate of about 37%.

If you thought the influx of data center and cloud traffic from mobile was big, just wait until all our body vitals start hitting the wire. Add that to all the other IoT initiates, like home/automotive, big data suddenly turns into ginormous data.

While we may instantly think about the fitness trackers and smartwatches that garner our bodies, the health care industry is also looking at the treatment of chronic diseases, wellness programs, remote patient monitoring and physician use. And there are other devices like posture monitors, connected wearable patches and pain management wearables that are gaining ground.

I can already hear the posture sensor barking, 'Stop Slouching!' and a pain patch that actually works instead of those menthol smelling globs – great idea!

ps

Related




Let the Training Begin!

Posted in f5, big-ip, silva, application delivery, certification by psilva on April 13th, 2016

A few weeks ago I mentioned that I was on a journey to getting properly trained and reacquainted with the more technical nuances of F5 solutions with the goal of achieving F5 Professional Certification sometime this year. In fact, most of F5’s DevCentral team is also shooting for certification and we’ve set up our study path.

As a refresher, F5 has a number of educational programs to help you get acquainted, get fully trained or become a Certified Professional with F5 gear. From free online courses to instructor led classroom seminars to challenging your knowledge with a certification, F5 can help you, as it is helping me, understand the inner workings of BIG-IP. I began at F5 University with the Getting Started series and was able to get through a number of modules at my own pace.

This week, the DC team is in Seattle at the Mother Ship and we decided to kick off our study prep while we’re together. This is for the initial 101-Application Delivery Fundamentals exam and we’re using Eric Mitchell’s excellent Study Guide as our guide. There is also an Exam Blueprint available that goes through the objectives of each section and gives examples of the types of questions asked. Um, what's the purpose and functionality of MTU and MSS again?

osi.jpg

The 101-Application Delivery Fundamentals test is the first exam required to achieve F5 Certified BIG-IP Administrator status. All candidates must take this exam to move forward in the program. Successful completion of the 101 exam acknowledges the skills and understanding necessary for day-to-day management of Application Delivery Networks (ADNs). The 101 exam is not so much, how do you do this on a BIG-IP but more about the basics of the OSI model, networking, protocols, common traffic management/load balancing concepts, cryptographic services and application delivery platforms in general. The essential knowledge needed to deploy any application delivery controller.

We’ve decided to each take and prepare a section of the study guide and present to the team. We’ve set up weekly meetings and each week is an exam section. This week is the OSI model and (theoretically) in 5 weeks, we should be ready to take the exam. If you are prepping or planning to get certified at our Agility event in Chicago this summer, you and your team may want to consider that approach. All the learning benefits, with slightly less stress.

So that’s our most recent update as we continue on the certification path. If you’d like a step-by-step guide, including how to register and schedule your exam, check out Austin Geraci’s article Becoming F5 Certified - BIG-IP Administrator Certification - 101 & 201 Exams and/or join the F5 Certified! Professionals group on LinkedIn. Good stuff.

ps 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Plugging Data Leaks

dataharvest.png

Whether intentional or accidental, data leaks are a huge concern for organizations. And it has been for years. Going back to a 2004 survey from an IT security forum hosted by Qualys, found that 67% of security executives do not have controls in place to prevent data leakage, A December 2006 survey, Boston-based researchers Simon Management Group noted that some 78% of respondents said they were "very concerned" about data exposure. A 2010 article published by Trustwave on CSOonline.comsaid that 65% of leakage occurs due to the following combined methods: Microsoft SMB sharing, Remote Access Applications, and Native FTP clients.

And a recent informal survey conducted by the Avast Mobile Enterprise team at two healthcare technology events indicates that Data Leakage (69%) was the greatest security concern of Healthcare CISOs. Insider threats (34%) and Malware (28%) got silver and bronze.

Information seems to be the gold standard in today’s digital society and it comes in many forms. It can be personally identifiable information (PII) of customers or employees; it can be corporate or financial info; it can be litigation related; it can also be health care related and really, any data that should be kept secret…except from those who are authorized to view it.

According to Cisco, some risky behavior by employees can aggravate the situation. Areas included:

  • Unauthorized application use: 70% of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.
  • Misuse of corporate computers: 44% of employees share work devices with others without supervision.
  • Unauthorized physical and network access: 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.
  • Remote worker security: 46% of employees admitted to transferring files between work and personal computers when working from home.
  • Misuse of passwords: 18% of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.

How can you reduce and mitigate some data leakage risks? BIG-IP can help shore up some areas.

The overall category of Data Loss Prevention (DLP) is a multi-faceted area of security that encompasses securing data storage, data transmission, and data in-use. Specifically, BIG-IP ASM focuses on the protection of data in-flight. For instance, ASM’s DataGuard is a method of protecting against SSN or CC# information from leaking out of back-end databases but ASM’s benefits in a DLP strategy extend well beyond that. DLP is concerned with unauthorized access to any private data, whether confidential personal or corporate information. ASM provides comprehensive protection against unauthorized back-end database access, by preventing the exploit of well-known vulnerabilities such as XSS, SQL-injection, cookie poisoning, etc. If you can’t even reach the info, less likelihood of it leaking.

No single product is going to provide a comprehensive, all inclusive DLP solution. HIPAA, PCI, and other regulatory standards are focused almost entirely on DLP. BIG-IP ASM, as a WAF, provides a vital part of any overall DLP solution in today’s security-conscious environment.

ps

Related:




The Land of the Partially Connected

Posted in silva, people, humans, family by psilva on April 1st, 2016

Greetings from Ottertail County

Last week my family visited some relatives in Minnesota. Fergus Falls and Clitherall to be exact. Both are situated in Ottertail County – about half way up the state toward the Fargo, North Dakota side. While Fergus has a population of around 13,000, Clitherall claims 112 people and much of the area is farms, lakes, woods, nature and many of the locals are hunters, ice-fishers, farmers and people who love the great outdoors...even during the long, demanding winters. In the summer it is a quaint little resort town. There is a dirt road to get to my wife’s dad’s house and we even saw a couple eagles engaged in a talon lock while we were there. We always enjoy our stays.

A decade ago, cell phone coverage was spotty but it has gotten better, albeit 2/3G in some areas, and most have access to the internet either by cable or satellite. But the internet, for some folks, is not as important or critical like it is for many of us ‘connected’ beings. Poppa Maggie’s house on Mallard Bay can get internet access but he doesn't want it. I’m sure many of you have experienced remote areas of the country where the grid is available but people choose not participate or simply use their mobile device for the few things that they need.

mallard_bay_sm.jpg

At one of the family gatherings - on a farm in a log cabin - our cousins were wide-eyed about all the ‘technology’ stuff we knew. While I asked about the family history and why they originally settled in that location, soon the discussion turned to wearables, data breaches, encryption and even the Fed’s iPhone situation. I remember Cousin Patty saying, ‘I’m just a simple farm girl and really don’t know anything about the internet or technology.’

I was a little jealous.

Granted, many of the large farms in America do use technology to track the herd, measure moisture/water schedules, check soil conditions, maneuver tractors, check grain silos and so forth. But these were small family farmers and didn’t have large contracts with nationwide distributors. Often, their crop is to simply feed the family and stock for the year and/or sell at local markets.

I told Patty that I was a bit envious of her situation and knowing all the ins and outs of technology can sometimes be stressful, anxiety filled and a burden. Always worried about being a target; insight on how cyber-crime works; knowing that nothing is totally secure until you unplug or disconnect it. I felt safer surrounded by trees, lakes, deer, bear, geese, and ducks…and with no computer connection. Add to that, they got me beat hands down for survival skills. They are craftsman, cooks, hunters, builders, agriculturalists, environmentalists, conservationists and hard working, good people.

BREAKING NEWS: It was tranquil and relaxing.

Like many of you, technology is part of my life, how I make a living and I’m not looking to hang up my RJ-45s any time soon. I have a great interest in how it is shaping our society and love exploring and explaining how a lot of it works. However, it is also important, to unplug every once in a while and experience some technology-free time. It clears the mind, slows you down and you might get to see the flirtatious free fall (or epic battle) of a truly majestic creature.

ps




Get Smart with IP Intelligence

Posted in security, f5, big-ip, application security, silva, network, control, infrastructure by psilva on March 30th, 2016

ip_intel_scan.jpg

There are always threats out there on the big bad internet. The majority of breaches happen at the application layer and many OWASP Top 10s like SQL injection are still malicious favorites to gain entry. Add to that the availability of DDoS tools, anonymous proxies and the rise of hacktivism means networks and systems are bigger targets than ever. Threat detection today relies on a couple elements: Identifying suspicious activity among the billions of data points and refining a large set of suspicious incidents down to those that matter.

Today’s cyber-criminals use various techniques to hide their identities and activity. Keeping them out of your systems requires constant vigilance. Every packet that transverses the internet has a source IP address so disabling inbound communications from known malicious IPs can be highly effective.

You may not know but F5 offers IP Intelligence Services which provides the functionality to block known malicious IP addresses. It is a layer of IP threat protection and an additional way to allow BIG-IP customers to defend against malicious activity and infrastructure attacks. The IP Intelligence service is offered on several BIG-IP platforms. With IP Intelligence, BIG-IP AFM can be configured to block or allow traffic entering the system based on the reputation of the source IP address.

BIG-IP AFM determines reputation using two methods. One is a continuous feed of known or suspected malicious IP addresses provided by a third-party service Webroot BrightCloud. You can also create custom feed lists that specifies IP addresses that have been blacklisted or whitelisted by the organization. The BrightCloud feed is updated every 5 minutes by default and custom feed lists are unique to the AFM and are polled at intervals of your choosing.

These two methods are jointly referred to as IP Intelligence and can be used independently or in tandem to filer traffic on the BIG-IP systems. The BrightCloud option is licensed separately through F5 and requires internet connectivity and DNS resolution from your BIG-IP system. Custom feed lists do not need connectivity since it is local to the BIG-IP.

afm_feeds.jpgIP Intelligence can be applied via AFM firewall policy to the Route Domain or Virtual Server. Once enabled, it will affect all traffic that arrives on your BIG-IP system no matter the access point.

The IP Intelligence data is organized into categories that help you differentiate between types of listed IP addresses. There are 11 pre-defined categories including botnets, scanners, infected sources, illegal websites and more. These correspond to the categories in the BrightCloud feed. You can also create up to 51 custom categories to meet your own specific needs.

Networks, infrastructures, systems and applications are all under attack these days. While you can do your best at securing your data, sometimes a little call blocking can go a long way in ensuring these known rascals cannot get through.

Peace of mind is always a secure feeling.

ps




Time It Takes the Fingers to Remember a New Password? About 3 days

Posted in security, silva, authentication, cybercrime, identity theft, human behavior, access by psilva on March 18th, 2016

unpw.jpg

Recently I changed some of my passwords. Some due to typical rotation time and a couple due to potential breaches and encouragement from the affected site. No, I’m not going to tell you which ones or how I go about it but I noticed that it took about 3 days for my fingers to key the correct combination.

This has probably happened to you too, where after changing a password, you inadvertently enter the old password a number of times since that is what the fingers and hands remember. Yes, I’m sure many of you have password keepers (which have also been breached) locked by a master and I use one too, but for many of my highly sensitive passwords, I keep those in my head.

As I continued to enter the old password for a couple days only to correct myself, I started thinking about habits and muscle memory. Some adages talk about it taking about 30 days (66 days in this study) to either pick up or drop a habit if done daily. Want to keep an exercise routine? Do it daily for a month and you are more than likely to continue...barring any unforeseen circumstances.

And then there’s muscle memory. Things like riding a bike, signing your name, catching a ball or any repetitious, manual activity that you complete often. Your muscles already know how to do it since they’ve been trained over time. You do not need to think about, ‘OK, as it gets closer, bring your hands together to snag it from the air,’ it just happens. This is one of the reasons why people change or update certain exercise or resistance routines – the muscles get used to it and need a different approach to reach the next plateau.

I wondered if anyone else had thought of this and a quick search proved that it is a bona fide technique for password memory. Artists like musicians use repetitive practice for scale patterns, chords, and melodic riffs and this trains the muscles in the fingers to 'remember' those patterns. It is the same notion with passwords. Choose a password that alternates between left and right hands that have some rhythm to it. After a bit, the hands remember the cadence on the keyboard and you really do not need to remember the random, committed numbers, letters or Shift keys pounced while typing your secret. This is ideal since only your fingers remember not necessarily your mind.

Granted, depending on how your head works this technique might not work for everyone but it is still an interesting way to secure your secrets. And you can brag, 'If you break my fingers, it'll wipe the device.'

ps

Related:




Jumping on the Rails of the Technical Train

Posted in big-ip, silva, devcentral, certification, train by psilva on March 15th, 2016

cert_hat.jpg

I used to be technical, highly technical. You know the kind…more comfortable with CLI rather than GUI, limited use of CAPS at the beginning of sentences and proficient at configuring & troubleshooting a slew of devices from multiple vendors. But after a couple role changes over the years, my technical acumen has slightly diminished. Again, you probably know the drill that if you’re not tapping away at it daily, some of those skills dwindle. Plus, with new technology replacing the stuff you knew 10 years ago, it often feels like starting over.

But don’t fret! As with anything, you can regain some prowess and learn new tricks with a bit of training. Get on that bike and ride!

That’s what I’m going through now.

When I joined the DevCentral team, I quickly realized that our community is much smarter than I when it comes to the intricacies of our solutions. My initial reaction to many of the questions that get posted on DevCentral sound like the ‘Aaaaaahhhhhh, Ahhhhhh,’ from Bevis and Butthead. I have no idea. I’ll Alt-Tab to the AskF5 Knowledge Base to check if there is already an answer and often there is. But when it is a unique situation or something with iRules, I look blankly at the screen and wonder, ‘How can I help, when I don’t even know.’

One of the great things about working at F5 is that they allow us to take whatever training is needed to be proficient at our job. Over the last couple weeks I’ve been doing just that – initially digging in to F5’s free Web Based Training.

F5 has a number of educational programs to help you get acquainted, get fully trained or become a Certified Professional on F5 Solutions. From free online courses to instructor led 

f5_cert.jpg

classroom seminars to challenging your knowledge with a certification, F5 can help you, as it is helping me, understand the inner workings of BIG-IP. I began at F5 University with the Getting Started series and was able to get through a number of modules at my own pace. We have programs for both partners and customers and is a great way to learn the fundamentals of the BIG-IP system.

Next for me, will probably be some classroom training with hands on configuration and the entire DevCentral team will embark on a path to F5 Certification. Hear that Ken? We’re coming for ya!! We’re going to start a mini-study group using many of the resources available and chronicle our progress. The idea is that we’re like you – we know a lot already but want to get deeper in our understanding and for me, better at providing the details of our technical solutions.

Join us over the next bunch of months as we share our experiences of becoming an F5 Certified Professional.

ps 




Hello Infiltrators - Our Doors are Wide Open

Posted in security, f5, silva, privacy, mobile, cybercrime, iot, things, risk, sensors, society by psilva on March 11th, 2016

Gossamer_restored.jpg

In the 1946 classic ‘Hair Raising Hare,’ Bugs Bunny asks, ‘Have you ever have the feeling you were being watched? Like the eyes of strange things are upon you?’ Like Bugs often did, he breaks the fourth wall and involves the audience directly, invoking a feeling that someone is looking over your shoulder.

Today, it is likely the case that you are being watched by the strange (internet of) things that are starting to infiltrate our homes, cars, bodies and the whole of society. While there is a mad rush by people purchasing these things and a similar rush for companies to develop applications and services around those, many are not pausing to either understand the risks or build security into the products.

From home security systems to surveillance cameras to baby monitors to televisions to thermostats, examples pour in daily about flaws and vulnerabilities that leave you, your family and your home exposed. The way things are going, even if you’ve closed and locked your front door physically, that door is wide open to the digital world.

Here are just a few recent examples.

Might as well start with our dwellings. Security researchers at Rapid7 found flaws in in Comcast’s Xfinity Home Security system that would cause it to falsely report that the home’s windows and doors are closed and secured even if they’ve been opened. It also failed to detect an intruder’s motion inside the house. Attacking the system’s communications protocol, they used radio jamming equipment to block the signals that pass from the door, window, or motion sensor to the home’s baseband hub. The system didn’t notice the communication was breached and essentially, failed open without any alert to the owner. When the jammers were turned off, it took minutes to hours for the sensors to reconnect and still didn’t give any indication that a catastrophe could have occurred.

Next, to some of the things inside the insecure house. Experts are predicting that as more connected, smart-TVs enter the home, this will be an avenue for the bad guys to breach your home network. Almost half of U.S. households already have a smart-TV and close to 70% of the sets sold this year will have connectivity capabilities. A threat researcher with Symantec was able to infect his new Andriod-based smart-tele with some ransomware. Within a few seconds, the TV was locked and unusable with the fear inducing pay-up-pop-up ransom note.

Also giving outsiders a view of the inside, Princeton researchers found that certain IoT thermostats were leaking customer zip codes over the internet in clear text. Fortunately, when the manufacturer was notified they quickly issued a patch. There are many horror stories about strangers watching and talking to children via insecure baby monitors. Add to that, toys that record your kid's conversations puts the whole family at risk.

And out on the road, we’ve seen how researchers were able to control a Jeep and last week, researchers were able to remotely control any of the Nissan Leaf’s functions by using the mobile app’s insecure APIs. The unsecured APIs allowed anyone who knows the VIN of a car to access non-critical features like climate control and battery charge management from anywhere on the Internet. Also, someone exploiting the unauthenticated APIs can see the car's estimated driving range. They too, pulled access to the app until they can properly secure the infrastructure and application that supports the mobile app.

Lastly, if you think this is contained within a consumer based household, think again. A recent Ponemon/Lookout survey revealed that an average of 1,700 malware laced mobile devices per company, connect to an enterprise network. Wait ‘til all the insecure wearables start connecting. Employees are often referred to as the weakest link. Today it is mostly their insecure mobile devices but multiply that by a wardrobe, now the risk is enhanced.

ps

Related:

Image courtesy: https://en.wikipedia.org/wiki/File:Gossamer_restored.jpg




« Older episodes ·