Upload
anon-520250
View
217
Download
0
Embed Size (px)
Citation preview
8/14/2019 DMK BO2K7 Web
1/67
copyright IOActive, Inc. 2006, all rights
reserved.
Black Ops 2007:
Design Reviewing The Web
AKA:Packets Will Be Involved
Dan Kaminsky
Director of Penetration Testing
IOActive, Inc.
8/14/2019 DMK BO2K7 Web
2/67
Introduction
This is my seventh talk here at Black Hat, where
previous subjects have included:
Everything over SSH Massive Speed Network Scanning
Everything over DNS
Pattern Analysis
Neutrality Verification
New Target: The World Wide Web
Why?
8/14/2019 DMK BO2K7 Web
3/67
Thats Not A Moon, Thats A Web
Browser
LucasFilm
8/14/2019 DMK BO2K7 Web
4/67
Mobile Too!
LucasFilm
8/14/2019 DMK BO2K7 Web
5/67
Where The Wild Things Are Rampant and persistent XSS/XSRF announcements
Superbowl .WMF 0-day
Two days before Superbowl, malicious image placed on
web page
1+M desktops compromised overnight
DNS Rebinding Test By Dan Bonehs Team at Stanford
Test flash applet placed on an Ad network, distributed
across many web sites Applet acquired partial network connectivity to client LAN
+100K networks exposed
8/14/2019 DMK BO2K7 Web
6/67
These Are A Few Of My Favorite
Things DNS? Tunneling? Behind Firewalls?
I try to get out, but they pull me back in!
DNS Rebinding is an old bug
Dates back to 1996
So old, people forgot about it, and started buildingsystems that didnt defend against it
Dan Boneh of Stanford Universitys been driving the
most thorough research Attack dates back to 1996 (Princeton Attack)
Martin Johns revived the attack in August 2006
RSnakes been pushing a lot of attention its way
Effect: DNS Rebinding partially breaks the security
policy of the web.
8/14/2019 DMK BO2K7 Web
7/67
How Does The Web Work?
Web pages are pulled together in the browser,
from pieces that can come from all over the place
You can even embed one web page insideanother one!
This is an IFrame
But what if someone embedded Hotmail, and
you were logged in? Would they be able to
read your mail?
8/14/2019 DMK BO2K7 Web
8/67
The Same Origin Policy Look but dont touch
A web page can embed Hotmail, but it cant look inside
to see whats happening
Access to look inside controlled by Same Origin Policy
If foo.com has an iframe to foo.com, it can look inside.
If foo.com has an iframe to bar.com, it can display
bar.com to the user, but it cant peek inside and see what
the user sees.
If two things come from the same place, they must be
trusted the same
Same place = Same name, right?
8/14/2019 DMK BO2K7 Web
9/67
The Bug Names dont host anything.
Everything comes from IP addresses
We use DNS to translate between a name we trust and an IP
address we communicate with
Foo.com -> 1.2.3.4
Bar.com -> 3.4.5.6
Assumption: The translations dont change
Reality: Both foo.com and bar.com can return any IPaddress, at any time, whether they control that IP or not
Bar.com can return an IP address of Foo.Coms
8/14/2019 DMK BO2K7 Web
10/67
Now What? One moment, bar.com could point to a server in Europe
The next moment, bar.com could point to the printer downthe hall
Suppose your browser loaded a page from each address The content from the European server would be from
bar.com
The content from the printer down the hall would also befrom bar.com
According to the Same Origin Policy, the server inEurope can do whatever it wants to your printer!
The server cant get past your corporate firewall
but it doesnt need to. Itll tell your browser what todo, and your browser will report back with whateveryour printer is up to.
8/14/2019 DMK BO2K7 Web
11/67
Why The Attack Works Browser doesnt know bar.com from the external
IP is any different from bar.com from the internalIP
This is by design
Major web sites have IP addresses spreadacross the world, and resources acquired fromthem need to be able to script against one
another Detecting that theres a cross-IP scripting action
happening is only the beginning what to do afterthat is what people are trying to figure out.
8/14/2019 DMK BO2K7 Web
12/67
What is the canonical attack here?
Firewall Bypass
Most corporate networks draw a significant
distinction between the externalnetwork andthe internalnetwork
Things inside can route out
Things outside cannot route in
By bouncing off a lured browser, an attacker
on the outside can access resources on the
inside
8/14/2019 DMK BO2K7 Web
13/67
Levels of Exploitation Level 1: Browser-Only
One IFrame is from Europe, the other is down the hall.Same name, so they can script against eachother.
The Win: Arbitrary HTTP Sites Level 2: Web Plugins
MSXML* / XmlHTTPRequest / Silverlight
The Win: HTTP + Web Services + Semi-ArbitraryHeaders
Level 3: Socket Plugins Flash / Java, though different resources available
through each
The Win: Everything from L1+L2, plus various degreesof TCP or UDP access
8/14/2019 DMK BO2K7 Web
14/67
Java Original Target of 1996 Princeton Attack
From Applet interface, can only get high-port
UDP and TCP to the actual calling app More widely deployed than I thought
LiveConnect
Ability for Javascript to call Sockets directly,
without going through Applet interface Totally rebindable effect is high-port UDP and
TCP to anyone
FireFox and Safari only though
8/14/2019 DMK BO2K7 Web
15/67
Flash
Has worked hardest to make arbitrary socket
connections work when theyre supposed to
Most mature security model in the industry They dont handle rebinding well though
Breaks what is otherwise a lot of really good
work
Effect: Arbitrary TCP, though you have to pull
some tricks to get TCP ports below 1024
8/14/2019 DMK BO2K7 Web
16/67
Mechanisms for rebinding an
address
Lots of ways to use a rebind, but how do youachieve it in the first place?
How do you cause the DNS infrastructure toaccept your change of address?
The entire architecture is designed to cacheacross hours to days, not to be swappable inseconds
Three mechanisms Temporal
Spatial
Ridiculous
8/14/2019 DMK BO2K7 Web
17/67
Traditional Rebinding: Temporal
Modulation
DNS records have a TTL field lets you declare how long a
record should live in the infrastructure before a second query
causes a new request to the original server
Declare a 0 TTL and records will supposedly not cache Now every time the browser has a slightly different DNS
request, you get an opportunity to provide a different
location
Problem: Some networks wont respect your low TTL.
Some networks brag about that ;)
You could wait until the network-enforced minimum TTL
expires, but that takes time
8/14/2019 DMK BO2K7 Web
18/67
Another Rebinding Mechanism:
Spatial Modulation
DNS responses can contain multiple addresses
When bar.com is asked for its IP address, it
returns both its address and the address of theprinter
This can have a infinite TTL
Problem: Which record will the browser choose?
Totally random.
Solution: Try again
Seriously.
8/14/2019 DMK BO2K7 Web
19/67
Spatial Error Resolution Case 1: Browser wants external, gets internal
Fix 1: External resource is hosted on an unusual port, sothe internal connection will fail and thus retry to external.
This has problems with outbound firewalls, though. Fix 2: Immediately after connecting, look for evidence inthe connected session that weve actually reached thecorrect server. If not, destroy the object that did theincorrect retrieve and keep trying until success.
The trick: Retrieve the content with XMLHttpRequest
so that you can actually destroy the object thatguessed incorrectly.
Case 2: Flash/Java wants internal, gets external
Fix: Look for magic token on incoming session. If magictoken is returned, destroy the object and try again. If no
token, retry the applet a couple times just in case theresa extrusion firewall in the way.
8/14/2019 DMK BO2K7 Web
20/67
Ridiculous? People are trying to use DNS TTLs as a security
technology
DNS TTLs are not a security technology Finally, something less a security technology
than Virtual Machines
Overriding a TTL, if you control the record, turns
out to be very easy, and this is by design When something wasnt designed to be a
security technology, dont be surprised when it
isnt one
8/14/2019 DMK BO2K7 Web
21/67
CNiping CNAME Records: DNS Aliases
Instead of returning an address, return what theCanonical, or Official Name was, and then the
address of that Canonical Name If you are allowed to be the resolver for that
canonical name, your additional recordoverrides whatevers already in the cache, even
if the TTL hasnt expired yet Its not a bug.
Works against most, but not actually allname servers
8/14/2019 DMK BO2K7 Web
22/67
CNiping Demo[0] dig 1.foo.notmallory.com
;; ANSWER SECTION:
1.foo.notmallory.com. 120 INCNAME bar.foo.notmallory.com
bar.foo.notmallory.com. 120 IN
A 10.0.0.0
dig bar.foo.notmallory.com bar.foo.notmallory.com. 111 IN
A 10.0.0.0
8/14/2019 DMK BO2K7 Web
23/67
CNiping Demo[1] dig 2.foo.notmallory.com
2.foo.notmallory.com. 120
IN CNAMEbar.foo.notmallory.com.
bar.foo.notmallory.com. 120
IN A 10.0.0.1
dig bar.foo.notmallory.com
bar.foo.notmallory.com. 118
IN A 10.0.0.1
8/14/2019 DMK BO2K7 Web
24/67
Review
By swapping addresses out from
underneath a web browser, we can get
arbitrary TCP (and sometimes UDP)access to hosts reachable by the client.
What can we do with this?
Can we VPN into corporate networkswith nothing but a lured web browser?
Sure! Its easy!*
* Actually a pain in the ass, but heh
8/14/2019 DMK BO2K7 Web
25/67
Concentration
Three actors in this little dance
The Browser, which has access to internal
resources The Attacker, which wants access to those
internal resources
The Proxy, which sends code to the Browser to
copy messages from the Attacker
We will start with the Proxy, running software of
my design. This software is called Slirpie.
8/14/2019 DMK BO2K7 Web
26/67
Slirpie, The Proxy Multiprotocol Server, Built using POE
Accepts TCP streams for Browser delivery, containing
routing data
Accepts HTTP requests for those routable streams
Accepts DNS requests to direct routing
Accepts XMLSocket requests to determine routing policy
For Flash
The basic theme is Attacker connects to Proxy, whichmanages the appropriate resources in Browser to
service the Attackers connections.
8/14/2019 DMK BO2K7 Web
27/67
A Bucket of Suckets Browser connects, establishes an IFrame called a
Bucket
A bucket is a collection of connection managers
The bucket polls for new connections to establish Attacker connects to Proxy and requests a socket to
10.0.0.1, port 80.
Browser Bucket retrieves list of new connections,compares against the previous list, notices one new
demand for 10.0.0.1:80. Bucket opens up a 2nd level IFrame for this new IP
address.
The IFRAME SRC attribute for the 2nd level IFrameis set to 10.0.0.1.foo.proxydomain.com. For now, it
still resolves to the Proxys address. This 2nd level IFrame is called a Sucket.
8/14/2019 DMK BO2K7 Web
28/67
Demo JSON {
"10.0.0.1" : {
"3" : {
"from_browser_seq" : -1, "server_state" :
"CONNECTED",
"from_browser_ack" : -1,
"to_browser" : {
"1" : "YQo=", "0" : "Zm9vCg==",
"3" : "Ywo=",
"2" : "Ygo="
},
"dport" : 80,
"dproto" : 6,
"browser_state" :
"CONNECTING", "to_browser_seq" : 3,
"to_browser_ack" : -1,
"from_browser" : {
} }
}
}
8/14/2019 DMK BO2K7 Web
29/67
How many DNS requests does it take to get
to the center of your corporate network?
Javascript alone will not open this Socket. Flash isnecessary.
HaXe, a metalanguage, is used to compile both a Flash
object and a Javascript interface to it. The Flash object is loaded, and directed to create aconnection to 10.0.0.1:80
QUERY ONE: Load the movie from10.0.0.1.foo.proxyhost.com (actually Proxys IP)
QUERY TWO: Load the security policycontrolling
8/14/2019 DMK BO2K7 Web
30/67
Managing Dataflows 1) Data is received by Flash sent down into the
Suckets DOM for eventual collection.
2) Bucket prepares to send an update to the
Proxy. It visits each Sucket, and retrieves thelatest list of updates.
3) Proxy received the update, acknowledgesreception, and sends any replies in the update
response. 4) Bucket receives the response, and tells eachSucket to parse their replies and send() them upthrough Flash.
8/14/2019 DMK BO2K7 Web
31/67
But What Of Domains? Each of those IFrames inside the bucket is in a
different domain than the bucket itself.
Why can they push stuff up, or pull stuff down? Same Origin Policy allows two subdomains from
the same domain to explicitly claim support for one
another
So we do that.
Thanks Same Origin Policy!
8/14/2019 DMK BO2K7 Web
32/67
And thats it!
OK, a little bit of housekeeping for opening
and closing sockets, and eventually entire
suckets.
Yeah, its a reimplementation of TCP in
Javascript. Who else was going to write
it? but what about the attacker? How does
he open sockets?
8/14/2019 DMK BO2K7 Web
33/67
Does anyone remember this?
8/14/2019 DMK BO2K7 Web
34/67
Back In The Day, When I Was Young
Im Not Runnin 95 Anymore SLiRP
1995 era tool that turned shell connections (text only) into
PPP connections (pretty pretty pictures)
Was old school when I used it in my talk back in 2001 What SLiRP actually does: Given a stream of packets,
create sockets and send the data in the packets into the
sockets
SLiRP was Userspace NAT
Where to find SLiRP: Recent versions uh
disappeared.
Found in my ancient cool stuff archive
8/14/2019 DMK BO2K7 Web
35/67
SLIRP and PPTP PoPToP: Linux PPTP Daemon
PPTP: Horrifyingly hideous VPN protocol, ultimately
uses a PPP encapsulated stream of packets
PoPToP can hand this PPP stream to SLiRP fortermination
Makes setting up a VPN link much easier
Makes VPNing into a web browser possible.
Normally, SLiRP would now handle sockets directly
What if, instead, it gave the socket requests to Slirpie?
8/14/2019 DMK BO2K7 Web
36/67
The General Idea The Attacker runs applications that use sockets.
The sockets get their traffic sent over PPTP to SLIRP.
SLIRP provides a set of streams to the Proxy.
The Proxy tells the Browsers bucket to openappropriate suckets.
The Browser opens suckets, which themselves providesockets.
The Proxy mediates traffic between the Attackerssockets and the Browsers sockets.
And it all just works.
Nessus over IE: Nessie!
WoW over IE: Wowie!
Any TCP-based protocol should work.
8/14/2019 DMK BO2K7 Web
37/67
What else can we use this for? Things other people have mentioned
Click Fraud go to random web sites, do bad things
SPAM er, you get Port 25 access too
What else can we do? Stealth Tor go to a website, be involuntarily added to
a worldwide proxy network
Protect Network Neutrality
P2P Networking?
Java provides UDP support. Even through NATs,bidirectional UDP = ability to generate a cloud entirelyin the browser
That one thing
8/14/2019 DMK BO2K7 Web
38/67
IP OVER SPAM Defcon 14, TCP/IP Drinking Game
How would you get around the great firewall ofChina?
Correct Answer: Drop all RST packets,ignore the firewall trying to shut you down
My Answer: Encapsulate data in SPAM.
We have IP (or at least TCP) inbound
We have SPAM outbound Uh
You know, I was originally joking
8/14/2019 DMK BO2K7 Web
39/67
Oh, People Are Interested In This
Whole Network Neutrality Thing? Iwas unaware this was such a hot button subject when I
started developing tools to detect problems with it
First of all, we need to start using the correct language:
We wish to detect Provider Hostility If youre sniffing my traffic, youre hostile.
If youre altering my traffic, youre hostile.
If youre censoring my traffic, youre hostile.
If youre selling my traffic, youre very very hostile.
Would the military bomb you for doing it to them?
Youre hostile. Deal.
8/14/2019 DMK BO2K7 Web
40/67
What Do We Need To Detect Provider
Hostility?
Downloading data from two separate sites, at two
separate speeds, unfortunately doesnt tell us
much
Too many factors are conflated to determine
what one thing is causing the problem
What we want: Given identical network paths for
two web sites, is the last mile provider hostile to
content from one site vs. another?
Detect differential speeds
Correct content injection
8/14/2019 DMK BO2K7 Web
41/67
SOMEBODY is buying this stuff Everyone who knows anyone who makes routers
knows that carriers are desperately trying to buy
routers that support hostility. There are repeated news articles about ISPs
replacing ads and companies setting themselves
up as ad replacers
Can we monitor the spread of this problem? Can we defend Online Advertising against
the Times Square effect?
8/14/2019 DMK BO2K7 Web
42/67
The Times Square Effect Movies that show Times Square replace all the ads.
No contractual obligation not to
No real expectation from the viewer that this is reality
its a movie Carriers are under no contractual obligation to host the web
sites they say they are
Provider In The Middle attacks might very well beprofitable!
Web sites and ads
Users tolerate them
Businesses would pay dearly to be top ranked on Google
Google Times Squared would not begood.
8/14/2019 DMK BO2K7 Web
43/67
A Modest Proposal For Correcting
Corruption WARNING: This is hideous
Why the web cant go 100% SSL/TLS yet
Ignoring perf, most web sites are aggregated on one
IP, with Host: multiplexing SSL/TLS didnt get an equivalent to the Host: header
to determine which certificate to present until veryrecently, and most downlevel clients dont support
One idea: We use SSL/TLS only to acquire loaders,
which acquire content from existing CDN mechanism butrefuse to inject into the DOM unless a HMAC or TigerTree check is passed
Can definitely do from Flash or Silverlight, possiblyfrom simple AJAX as well
Building a system to do this, codenamed NDK Not DOMokun
8/14/2019 DMK BO2K7 Web
44/67
A Reminder The commercial people are why we have strong
crypto in the browser in the first place. Thanks
credit card craving commerce people! Feds: If you like sniffing traffic, require the
providers to need a warrant before going hostile.
Ad replacement will spread web crypto like
nothing else ever has. Now: Is it possible to get better data regarding the
inevitability of all of this?
8/14/2019 DMK BO2K7 Web
45/67
The Transparent Proxy Gem Some consumer networks have transparent proxies
These take all traffic outbound on Port 80 and coalesceonto a single proxy instance that uses the Host: headerto route requests to the correct destination
Arbitrary TCP = Arbitrary Headers
So an attacker can go back to the IP address thatprovided the applet, and ask for Host: www.fark.com itllget routed to Fark instead of to the original host
What this means
Since the same infrastructure ultimately hosts allweb content, all sites (once theyre cached in proxy)come from the same host
A speed test against this transparent (easily detectable)proxy for various sites will directly yield information about
hostility
http://www.fark.com/http://www.fark.com/8/14/2019 DMK BO2K7 Web
46/67
The Silent Censor Detector Even if theres no transparent proxy, a filter box
can still limit traffic for web requests with non-preferred Host: headers.
Using Flash, we can impersonate being a Host: forany site on the Internet when we provide a speedcheck.
The thinking is that the attacker/provider wontmonitor the IP address used to contact Host:www.whatever.com, and will thus equally ratelimit traffic with that Host: no matter whatprovider.
http://www.whatever.com/http://www.whatever.com/8/14/2019 DMK BO2K7 Web
47/67
8/14/2019 DMK BO2K7 Web
48/67
Well We want to spoof sites on the Internet.
We want to know what these sites would see.
We want to be able to respond as if we were thesesites.
We dont want the real sites to interfere with our
interference.
Good luck! That would requiresequencenumbers.
Wed have to know where in the TCP stream an
attacker was, and thats clearlynot possible
8/14/2019 DMK BO2K7 Web
49/67
OMG ACTIVEX FTW
8/14/2019 DMK BO2K7 Web
50/67
PACKET CLAUS IS COMING TO
TOWN
8/14/2019 DMK BO2K7 Web
51/67
Introducing: INSPECTOR PAKKET What normally stops Mallory from pretending to be a random
site on the Internet?
Mallory doesnt know sequence numbers client will
accept Mallory has to compete with real server for the sending of
data
What do we have?
A sniffer that will leak sequence numbers to Mallory
What can Mallory now do?
Send data to the client that itll accept
Send a RST to the server so itll shut down the
session it has with the client
8/14/2019 DMK BO2K7 Web
52/67
Go Pakket Go! About that RST
RST is a TCP Reset message it shuts down a socketrather unceremoniously
Requires correct SEQ#, but dont worry, we have that When Mallory spoofs Bob to Alice, Alice is going to ACK toBob
Normally, Bob will send RSTs back to Alice, since theresno associated session
Thankfully, Bob is usually running a firewall that longsince shut down its connection for Aliceand so dropsall of Alices ACKs that have been stimulated by Mallorystraffic!
And just to be clear, how is Mallory getting those ACKs?
AJAcks: TCP Acks over AJAX
8/14/2019 DMK BO2K7 Web
53/67
Go Go Pakket Pwn The goal is to identify the applications being used on the
network, but some of these devices can go much further;those from a company like Narus, for instance, can lookinside all traffic from a specific IP address, pick out the HTTP
traffic, then drill even further down to capture only trafficheaded to and from Gmail, and can even reassemble emailsas they are typed out by the user.
Given a colluding client, I can:
Impersonate anyone who doesnt ACK my traffic
Generate arbitrary traffic that is completelyindistinguishable from theirs
Provide deep packet inspectors with a whole newrealm of content to inspect.
I recommend inspecting this information. Deeply.
8/14/2019 DMK BO2K7 Web
54/67
Conclusions DNS Rebinding threatens the boundaries of your network
There are multiple rebinding mechanisms and many
major use cases for each of them; this will not be an easy
problem to fix. The web could use some real work on its underlying
security models
We may need to consider applying integrity, and perhaps
encryption to all web traffic due to provider hostility
There are mechanisms for detecting such hostility thatshould be deployable shortly.
8/14/2019 DMK BO2K7 Web
55/67
[extra slides]
8/14/2019 DMK BO2K7 Web
56/67
My Process Sit down
Relax
Put some music on Start writing code
Get totally distracted
Write something completely differentthan intended
Find out later why
8/14/2019 DMK BO2K7 Web
57/67
A Fun Little Distraction Dotplots??? WTF!
Best feedback Ive ever gotten
Dotplots are a mechanism for visually analyzing similarity
across a dataset See last years talk for details
So I decided to port last years talk to WinAMP.
Im listening to music
I like pretty pictures
I should like listening to music that generates pretty
pictures!
Be nice to code something that Id never show at Black Hat!
8/14/2019 DMK BO2K7 Web
58/67
The Chemical Brothers,
Where Do I Begin
8/14/2019 DMK BO2K7 Web
59/67
+30% vs. -30% tempo
8/14/2019 DMK BO2K7 Web
60/67
LudiVu: Realtime Audio Visualizer Images are based directlyon spectral similarity
How similar is what Im hearing now, to what Ive heard
for the last n seconds?
Bass = Red Midrange = Green
Treble = Blue
Our auditory system almost certainly does this too
Always good to match what the ear is up to
Our auditory system almost certain does this better
Amazingly apocalyptically nave similarity metric!
8/14/2019 DMK BO2K7 Web
61/67
What We See Visual Hash of auditory segments, based on mutual
similarity/dissimilarity across frequencies
Reflects overall timbre of what were hearing
Vertical lines representing repeated structures in the music Lines close = Fast Tempo
Lines far away = Slow Tempo
Tradeoff between visual hash and structure detection
Blur less, get better visual hashing
Blur more, get better structure detection
8/14/2019 DMK BO2K7 Web
62/67
So Why Is This At Black Hat? Im doing web research!
One of my friends, Zane Lackey, knows
AJAX quite well and is in town We go out for beers.
Me: So Im working on this really cool
thing, it makes pictures from sound!
Zane: What, for Audio CAPTCHAs?
Me:
8/14/2019 DMK BO2K7 Web
63/67
Whatsa CAPTCHA? CAPTCHA: Completely Automated Public Turing test to tell
Computers and Humans Apart
Used to bind access to a resource to the presence of ahuman
Web sites use them to suppress bots
So I get this email, in response to me breaking CAPTCHAs...
CAPTCHA is quite annoying. I use a few programs tosend "auto-messages" and to "steal friends" from others'pages. They had a way around the CAPTCHA system for
a while, but not anymore. Check out www.xxx.com andwww.yyy.com. I dunno, I have 5 different accounts, and Iadd 300 people a day on each one, so imagine - I'mtyping 250+ CAPTCHA codes a day on this damn thing.;)
8/14/2019 DMK BO2K7 Web
64/67
AmIHumanOrNot The general idea is to use a humans superior
ability at figure/ground separation to differentiatehuman/machine
Image Captchas: Text, distorted and overlaid withlines and other non-text shapes
Problem: Blind people cant get in
Audio Captchas: Speech, distorted and overlaid
with quieter speech Humans get a 10db boost in perception simplyby paying conscious attention
Problem: Audio is actually easier to hack.
8/14/2019 DMK BO2K7 Web
65/67
Detecting 8
8/14/2019 DMK BO2K7 Web
66/67
and 9
8/14/2019 DMK BO2K7 Web
67/67
Tips For Building Better Audio
CAPTCHAs
Dont actually make your speech much louder than
your noise
Easy to sync on regions of high volume Expand your vocabulary
Use a sentence, rather than words in isolation,
as were much better at parsing them
Ask a question, perhaps?
My name is Bob. How many letters are in my
name?