Archive for the 'Family' Category

Jul 21 2014

Can I use Dropbox?

Published by under Encryption,Family,Privacy,Risk

I know security is coming to the public awareness when I start getting contacted by relatives and friends about the security of products beyond anti-virus.  I think it’s doubly telling when the questions are not about how to secure their home systems but about the security of a product for their business.  Which is exactly what happened this week; I was contacted by a family member who wanted to know if it was safe to use Dropbox for business.  Is it safe, is it secure and will my business files be okay if I use Dropbox to share them between team members?

Let’s be honest that the biggest variable in the ‘is it secure?’ equation is what are you sharing using this type of service.  I’d argue that anything that has the capability of substantially impacting your business on a financial or reputational basis shouldn’t be shared using any third-party service provider (aka The Cloud).  If it’s something that’s valuable enough to your business that you’d be panicking if you left it on a USB memory stick in your local coffee shop, you shouldn’t be sharing it via a cloud provider in the first place. In many cases the security concerns of leaving your data with a service provider are similar to the dropped USB stick, since many of these providers have experienced security breaches at one point or another.

What raised this concern to a level where the general public?  It turns out it was a story in the Guardian about an interview with Edward Snowden where he suggests that Dropbox is insecure and that users should switch to Spideroak instead.  Why?  The basic reason is that Spideroak is a ‘zero-knowledge’ product, where as Dropbox maintains the keys to all the files that users place on it’s systems and could use those keys in order to decrypt any files.  This fundamental difference means that Dropbox could be compelled by law to provide access to an end user’s file, while Spideroak couldn’t because they don’t have that capability.  From Snowden’s perspective, this difference is the single most important feature difference between the two platforms, and who can blame him for suggesting users move.

Snowden has several excellent points in his interview, at least from the viewpoint of a security and privacy expert, but there’s one I don’t think quite holds up.  He states that Condoleezza Rice has been appointed to the board of directors for Dropbox and that she’s a huge enemy of privacy.  This argument seems to be more emotional than factual to me, since I don’t have much historical evidence on which to base Rice’s opinions on privacy.  It feels a little odd for me to be arguing that a Bush era official might not be an enemy of privacy, but I’d rather give her the benefit of the doubt than cast aspersions on Dropbox for using her experience and connections.  Besides, I’m not sure how much influence a single member of the board of directors actually has on the direction of the product and the efficacy of its privacy controls.

On the technical front, I believe Snowden is right to be concerned.  We know as a fact that Dropbox has access to the keys to decrypt user’s files; they use the keys as part of a process that helps reduce the number of identical files stored on their system, a process called deduplication.  The fact that Dropbox has access to these keys means a few things; they also have access to decrypt the data if they’re served with a lawful order, a Dropbox employee could possibly access the key to get to the data and Dropbox could potentially be feeding into PRISM or one of the many other governmental programs that wants to suck up everyone’s data.  It also means that Dropbox could make a mistake to accidentally expose the data to the outside world, which has happened before.  Of course, vulnerabilities and misconfigurations that results in a lapse of security is a risk that you face when using any cloud service and is not unique to Dropbox.

I’ve never seen how Dropbox handles and secures the keys that are used to encrypt data and they haven’t done a lot to publicize their processes.  It could be that there are considerable safeguards in place to protect the keys from internal employees and federal agencies.  I simply don’t know.  But they do have the keys.  Spideroak doesn’t, so they don’t have access to the data end users are storing on their systems, it’s that simple.  The keys which unlock the data are stored with the user, not the company, so neither employees nor governmental organizations can access the data through Spideroak. Which is Snowden’s whole point, that we should be exploring service providers who couldn’t share our data if they wanted.  From an end-user perspective, a zero-knowledge is vastly preferable, at least if privacy is one of your primary concerns.

But is privacy a primary concern for a business?  I’d say no, at least in 90% of the businesses I’ve dealt with.  It’s an afterthought in some cases and in many cases it’s not even thought of until there’s been a breach of that privacy.  What’s important to most businesses is functionality and just getting their job done.  If that’s the case, it’s likely that Dropbox is good enough for them.  Most businesses have bigger concerns when dealing with the government than whether their files can be read or not: taxes, regulations, taxes, oversight, taxes, audits, taxes… the list goes on.  They’re probably going to be more concerned with the question of if a hacker or rival business can get to their data than if the government can.  To which the answer is probably not.

I personally use Dropbox all the time.  But I’m using it to sync pictures between my phone and my computer, to share podcast files with co-conspirators (also known as ‘co-hosts’) and to make it so I have access to non-sensitive documents where ever I am.  If it’s sensitive, I don’t place it in Dropbox, it’s that simple.  Businesses need to be making the same risk evaluation about what they put in Dropbox or any other cloud provider: if having the file exposed would have a significant impact to your business, it probably doesn’t belong in the cloud encrypted with someone else’s keys.

If it absolutely, positively has to be shared with someone elsewhere, there’s always the option of encrypting the file yourself before putting it on Dropbox.  While the tools still need to be made simpler and easier, it is possible to use tools like TrueCrypt (or it’s successor) to encrypt sensitive files separate from Dropbox’s encryption.  Would you still be as worried about a lost USB key if the data on it had been encrypted?

 

One response so far

Oct 17 2013

What’s a micromort?

Published by under Family,Humor,Risk

One of the cool things we’ve found on TV since moving to the UK is QI XL.  It’s a BBC show hosted by Stephen Fry where they take a rather comedic romp through a bunch of facts that may or may not have anything to do with one another.  Last night’s show was about Killers and a term that was completely new to me came up, a unit of measure called the ‘micromort’.  It’s basically a measurement equal to a one in a million chance of dying because of a specific event.  Really, it’s a scientifically valid measurement of risk.  And yes, our family has a strange idea of ‘cool’.

Why is the micromort important and relative to security?  Because humans, and security professionals are included in that category, have a horrible sense of the the risks involved in any action.  For example, you are 11 times more likely to die from a 1 mile bike ride, .22 micromorts, than you are from a shark attack, .02 micromorts.  Yet the same people who fear sharks greatly but are willing to go on a bike ride on a daily basis.  And many of those people smoke, which is a single micromort for each 1.4 cigarettes smoked.  People suck at risk analysis.

So could we come up with a similar unit of measurement for the risk in a million of a single action leading to a breach?  Someone needs to find a better name for it, but for the sake of argument, let’s call it a microbreach.  Every day you go without patching a system inside your perimeter is worth a microbreach.  Deploying a SQL server directly into the DMZ is 1000 microbreaches.  And deploying any Windows system directly onto the Internet is 10 million microbreaches, because you know that it’ll be scanned and found by randomly scanning botnets within minutes, if not seconds.

The problem is that the actuarial tables that the micromort measurements are drawn from millions of daily events.  People die every day, it’s an inevitability and we have a very black and white way of measuring when a person is dead.  We can’t even really agree on what constitutes a breach in security at this point in time, we don’t have millions of events to draw our data from (I hope) and even if we do, we’re not reporting them in a way that could be used to create statistical data about the cause of these events.

Some day we might be able to define a microbreach and the cost of any action in scientific terms.  There are small sections of the security community that argue endlessly about the term ‘risk’ and I have to believe they’re inching slowly towards a more accurate way to measure said risks.  I don’t expect those arguments to be settled any time soon, and perhaps not even in my lifetime.  So instead I’ll leave you with an entertaining video on the micromort to watch.  Thanks to David Szpunar (@dszp on twitter) for pointing me to it.

No responses yet

Dec 18 2011

Open tabs 12/18/11

Published by under Family,Government,Hacking,Malware

Long night last night.  We went to something called a pirate gift party; sort of like a white elephant gift (cheap, person A can take a gift from the table or steal from person B) except most of the gifts were wrapped in tinfoil cleverly disguised to hide their true nature.  Two minor variations from a normal white elephant gift is that there is no limit to the number of times gifts can be stolen per turn and no one gets to open the gifts until the last gift is chosen from the table.  This led to an interesting ‘defense’ strategy; since there was a gift that was wrapped to look like Thor’s Hammer that my Spawn wanted, they worked together to make sure they kept it at all cost.  Basically, when person A stole the hammer from whoever was holding it, that Spawn would steal his brother’s gift, and that Spawn would steal the hammer back.  This was a pretty good strategy, until Spawn1 lost concentration at one point and went after a different shiny object.  It all ended up good in the end, though another pair challenged the Spawn to a game of endurance to see who wanted the hammer the most.  It ended up being a 15 minute round robin of gifts being stolen and restolen that left everyone laughing.  Oh, and “Thor’s Hammer” ended up being a cleverly disguised box with chocolate and money in it, with a broom handle that was acting as the handle.

Oh, and very importantly, It’s that time of the year! Security Bloggers Meetup invites have gone out.

Open Tabs 12/18/11:

No responses yet

Nov 22 2011

Open tabs 11/22/11

Published by under Family,Hacking,PCI,Risk

I got home Sunday from 3 days in Las Vegas, two of which were spent at the first ever Minecon.  For those of you who aren’t the parents of Minecraft addicts or addicts yourselves, it’s a game where you create a whole world then mine it for resources and build just about anything you can imagine.  It’s multiplayer, sometimes massively so, and it’s very easy to set up your own server and be hosting it for the world in a matter of hours.  Unluckily, it may be too easy; people who can barely figure out what their IP address is are setting up servers on their desktops then sharing their systems with friends via Hamachi or simply opening their home network to the world. It’s enough to give a security professional an aneurism!  I wrote up my own experience in creating a cloud server for Minecraft in April, but that server never caught on with the kids.  So now I’m trying a different solution, MineOS Crux, a custom build distribution of Ubuntu specifically created for people who want a secure, lightweight Minecraft installation.  I’m running it as a VM on my Mac Mini server and exposing it to the world on a non-standard port, plus I locked down the distro a little more than the standard build.  I’m still more than a little paranoid about it, so if the kids aren’t using it, it’ll go away.

Oh, and the kids got me to start playing Minecraft as well.  Good thing there are a lot of long holiday weekends coming up.

Open Tabs 11/22/11:

No responses yet

Nov 11 2011

Open Tabs 11/11/11

Whether you call it Veteran’s Day, Pocky Day,Binary Day or something else, it’s Friday, I don’t know about you, but I’m looking forward to this weekend and spending some time with friends.  Being a parent, I don’t get out for adult time as much as I once did, which makes the rare occassions all that much more special.

If you know a veteran, today would be a good day to tell them thanks.  I ‘repaired’ radios long ago and far away on a little artillery base in Germany.  I put repair in quotes because our job was to say “Yep, it’s broken”, replace the radio and send the broken one off for repair by someone who actually did electronics troubleshooting.  I was lucky and my enlistment was during a relatively peaceful time, but we have hundreds of thousands vets out there who saw events and actions most of us can’t even imagine.  Please respect them for their sacrifices.

I haven’t done this in a few days, so there’s a lot of built up articles.

Open Tabs 11/11/11:

No responses yet

Oct 28 2011

Why “Wife0″ and the Spawn?

Published by under Family,Privacy,Social Networking

I’m not much of a programmer.  I’ve written a few thousand lines of code in my life, but that’s just enough to make me familiar with the generalities of programming.  One of the things I learned early is that I could either learn to program and sacrifice a large amount of my social skills in the process, or I could learn to pretend to be relatively normal instead.  But one thing I did learn about programming is that you always start any array at 0, not 1.  Though Andy Ellis did have to remind me of this a couple years ago when I started tweeting about my family occasionally.

If you follow me on twitter (@mckeay) you’ll know that I occasionally write about some of the things my family do and/or say.  Even if they sometimes only do and/or say the things I attribute to them in my head.  And whenever I mention their actions, real and imagined, I refer to them as “Wife0″, “Spawn0″ and “Spawn1″.  Which causes me to get a lot of questions about why I call them that.  As well as the occasional joke about “Does that mean you plan on instantiating Wife1?”  To which I reply, “No, since instantiation of Wife1 would require the utter destruction of the Martin parent process”  Oh, geek humor.

Why don’t I just refer to them by name?  Partially because it’s become a running joke in the family and it amuses me.  But mostly because the names of my family are none of the business with 99% of the people who follow me on twitter and of 99.99% of the people on the Internet!  If you know me well enough that I feel like telling you or if I know you well enough that I’ve actually introduced you to my family, then you have a right and need to know what their names really are.  But if you’re an ‘internet friend’, someone I meet every few months at a conference or simply someone who’s decided to follow me because I’m sometimes entertaining on twitter, there’s no need or reason for you to know what I call my family at home.  I always refer to Wife0 as Wife0, Spawn0 as Spawn0 and Spawn1 as Trouble… er, Spawn1. 

Seriously though, there’s enough information leakage that I knowingly let out on twitter and the blog.  And I leak a fair amount of information about my wife and children just by talking about them from time to time.  If someone really wanted to, it wouldn’t be that hard to look them up and find out who they are, where we live and any number of other facts about my family.  But I see no need to make that any easier by spewing out their names every time I want to share an amusing anecdote with my friends and followers on the Internet.  I give them some small manner of anonymity by not referring to them by name and by making no guarantees that anything I’ve ever said about them was based on reality.  And there’s a fair portion of what I say about them on twitter really does only happen in my mind.  But that doesn’t mean it amuses me any less.

2 responses so far

Apr 17 2011

Cloud experiment: Minecraft

Published by under Cloud,Family,Linux

I have two young boys who are addicted to Minecraft.  They wake up in the morning, log onto a Minecraft server, play as long as we’ll let them and then get back onto the servers as soon as we’ll let them.  I was a little concerned at first because I really didn’t know much about the game, but I discovered I had several adult friends in the security community who were also playing the game, so I was willing to let the boys play on a system a friend runs.  I don’t know about you, but it makes me feel a lot better about letting my kids play online when I know I can contact the administrator with a quick phone call or email.

Playing on someone else’s server is fun for the boys, but since Minecraft is a game of mining resources and constructing almost anything you can imagine, an eventual request came to build the boys their own server.  Minecraft isn’t very resource intensive, it’s a Java based program that runs pretty decently on a low end server, at least if you only have two or three people using the server at a time.  Since, like most geeks, I have several computers that are running 24/7 and have some spare memory, I was able to throw up our own home Minecraft server without too many problems.  And as Minecraft has matured and added plugins, I could give the boys additional capabilities and superuser access so they can give themselves whatever resources they want to build anything they want.  This kept them happy for a little while and gave me something to hold over their heads to get their homework done.  It’s a lot easier to deny them access to the server when you can shut it down in a couple of seconds.

The next step came when the boys told their cousin about Minecraft and he started playing as well. It’s a community game and they often play together on public servers, but the lure of having superuser accounts and just having control of their environment with their cousin was strong.  So the continuing plea of ‘Dad, can we make our Minecraft server public?” started.  With the continued reply of “No.” to go with it.  They tried several tactics, such as explaining the white and black listing capabilities of Minecraft, offering their cousin’s server instead if I’d tell them how to make it public, as well as several other plans that only a pre-teen could come up with.  All of which were still denied.

It’s not that I don’t want my sons to have their own Minecraft server, it’s just that the security of my home network is more important to me than them playing a game that necessitates poking a hole in my network to the outside world.  I’m a security professional and I know that despite that, I don’t know enough to lock down any program with 100% certainty once I’ve opened it up to the Internet.  I do not currently allow any services to be served to the Internet from my home network and I have no intentions of changing that in the near future.  I’ve also had several discussions that lead me to believe that while Minecraft doesn’t have any currently know publicly exploitable vulnerabilities, security is not a major concern of the developers and it’s only a matter of time before someone turns their full attention to rectifying the lack of exploits.  Especially considering how popular Minecraft has become.

I’m the kind of father who wants to give their kids as many geek toys as he can, first to test my own abilities and second to give them something to stretch their own capabilities.  Or perhaps it’s the other way around.  In either case, I wanted to give my kids what they wanted, a publicly accessible Minecraft server that was not part of my home network and did not put any of my resources at risk, however minor.  Which is when I realized I had a technology I’ve been meaning to learn more about and was just looking for an excuse to play with:  the Cloud!  I’ve been remiss in my duties as a geek and security professional in that I’d been reading about Cloud technologies, I’ve been listening to what others have to say and I’ve even given a talk about PCI in the Cloud, but I’d never actually signed up for a cloud service and created my own server because I didn’t have a real use for one.  Setting up a Minecraft server on Amazon’s EC2 this weekend became the perfect solution to both issues, giving the boys a Minecraft server that I didn’t care who connected to and giving me a chance to stretch a little and learn more about the technology that is on everyone’s lips this year (and probably the next several)

I’ll be honest, one of the things that made this easy is that I found a step by step guide to creating a Minecraft server on the Minecraft forums.  I’m including a copy of the guide in the extended post because I don’t want to take the chance of losing the information if something happens on the forums, an old habit of mine.  I’ll add a few of my own notes to it as well.  This was a huge help and probably cut my installation time by 3/4.

Signing up for all the Amazon Web Services was easy and only took about 30 minutes.  I needed to sign up for these in any case for another project, but that’s someone else’s tale to tell when he’s ready.  From that point on, the guide was spot on.  I don’t think it was more than 30 minutes later that I had the boys personal Minecraft server up and running.  As suggested, I chose a small, spot request instance of the default Linux installation, reserved an Elastic IP address, associated it and the server was up and running.  I performed a few additional steps, like installing Bukkit and half a dozen plugins that the boys requested.  Most of it was as easy as using wget to pull first bukkit and then the plugins and restarting server.  I did have one minor problem in that one of the plugins was being hosted on a server using HTTPS and I had to modify the wget parameters, but that’s relatively minor to overcome.

I’ve been running our Minecraft server on Amazon’s EC2 for about 24 hours now.  I made it clear to the boys that this server is only going to be up when evenings and weekends, which turns out to be a good thing.  It’s not a huge cost, but in the past day this installation of Minecraft has cost me approximately $1.50 to run at a fairly low load, which could quickly add up to $40-50 or more per month.  If there were more people using it, if their cousin actually had a full Minecraft account and could play with them, and if I didn’t already have a Minecraft server running on the home network, I might be willing to pay that, but for the most part they’re going to have to live with the server only being available when I say it is.  I’m not an authoritarian … wait, no scratch that.  When it comes to my kids, yes, I am the authorities and my wife lets me say so.

All in all, this was a worthwhile project; it gave me some experience with the Cloud and specifically AWS.  I walked the kids through some sections of the installation, which taught us all a few lessons.  They get a Minecraft server they can share with their cousin and friends, without my having to open my network or pay an arm and a leg.  But I am realizing that it’s important to watch your Cloud instances or you’re going to end up paying a lot more than you thought very quickly.

Continue Reading »

17 responses so far

Sep 13 2010

What skills should a geek kid learn?

Published by under Family,Hacking,Social Networking

In a few weeks HacKid will be coming up in Boston at the Microsoft NERD Center.  Flying cross-country to attend with my family didn’t quite work out, but it did get me thinking some about the skills I’d like my two boys to master before they’re too old to learn to learn anything from their father or any adult, which I figure is about 15.  I don’t mean the stuff they learn in school, which while valuable are not necessarily the skills they’re going to need to survive on a daily basis.  I was wondering about the geek skills, both technical and non-technical.  Since I’ve recently started playing with lock picks, I decided that would be one of the first of these skills, but I turned to the wisdom of Twitter to add to the list.  Below is a compilation of the list I started and some of the suggestions I got from Twitter.

Here you go:

  • Lock picking (physical security being taught at HacKid)
  • How to social engineer a password from someone
  • Fix a printer (or at least replace the paper/cartridge and pull out jammed paper)
  • Martial arts/Self-defense (also being taught at HacKid)
  • Electronics/soldering/circuit boards (I’d have to learn more about this one myself)
  • Amateur (Ham) radio
  • Fast reading/Critical thinking (they’ve got the first handled, I can barely keep these kids in books)
  • Conflict management
  • How to build a tree fort
  • How to build a home network
  • How to build a computer
  • How to change a tire (This one will wait until they’re a little older)
  • How to repair a consumer device, how to fix a motor
  • How to improvise to build what they need (aka Duct tape foo)
  • Role playing games (so this one will do more harm than good, it’s still fun)
  • Basic self-reliance (which our society seems to want to train out of us) [ireadit]
  • Basic carpentry and plumbing skills [ireadit]
  • Debate skills [Matt Summers]
  • Rope skills: how to make, how to coil without kinks, how to tie knots [Chris J]
  • Bike maintenance [Robin]
  • Basic navigation, both with and without a compass (my kids have been orienteering since they were in diapers) [Robin]
  • Juggling (fun, but essential?) [Robin]
  • Coin/close up magic, handy for social engineering [Robin]
  • How to swim [Norbert]
  • Learn to play an instrument [Robb]
  • How to play all major sports [Robb]
  • Basic cooking skills [Peter]
  • Basic first aid (Like ‘Call 911!’?) [Peter]
  • Linux & Windows command-line fu, a programing language (Does Scratch count?) [Chris]
  • And?

Leave comments and I’ll add to the list

16 responses so far

Aug 25 2010

May see you at HacKid

Published by under Family,Hacking

Zach Lanier brought up HacKid (pronounced ‘hacked’ I’m told) on the podcast last night and I just realized I haven’t even written a single post on the subject.  My friend Chris Hoff, aka @beaker, is one of the key organizers and Zach is on the committee as well, and this looks like it’s going to be the start of something that’s every bet as fresh and original as BSides, except this time it will be kids who are learning, rather than a bunch of angsty security professionals who felt they weren’t being properly represented at Black Hat (I’m teasing, if that isn’t immediately obvious)

My kids are little geeks, similar to many of your kids in all likelihood.  They wake up in the morning and hop online or start playing on the DSi, or just pick up a book and read.  Their favorite magazines are Make and Science Illustrated.  And some fool introduced them to Japanese (is there any other type?) anime a couple of years ago.  So a convention aimed at teaching them how the Internet works, how to stay safe online and building robots really appeals to them.  Add to it that the convention is happening at the Microsoft NERD center and MIT is just down the street and you’ve got something that budding geeks will find unresistable.

If you’re on the East Coast anywhere near Boston, have kids between the ages of 5 and 17, think about taking them to HacKid in October.  Do keep in mind that every young person must be accompanied by an old person (read: adult guardian), but that each of the classes will likely have almost as much to teach the adult as they do the kids.  Everything is being done on a volunteer basis and the event is organized as a non-profit, so the money is all going to a good cause.  But hurry if you’re going to sign up, the cost goes up from $50 each to $75 next week. 

One response so far

Aug 08 2010

Would you let your wife track your movement? I will

Published by under Apple/Mac,Family,Privacy

I make no secret of how much I value privacy.  Which is weird coming from someone like myself who spends so much time on social networking, blogging and generally shouting my activities to the world.  But I control most of that information, which is what privacy is all about in the digital age.  So why am I talking about letting my wife track my every move?  Because I received a press release about the Family Tracker application for the iPhone and iPad, and rather than just go on a diatribe about how such a system could be misused, I have decided that for the next few weeks I will voluntarily give my wife the ability to track the location of my iPhone anywhere it goes.  And since I’m almost never without my iPhone, it means she’ll be able to track my movement at all times.  Besides, she just gave me “the Look” when I asked if it was okay for me to track her movements; allowing her to track me was obviously a healthier choice.

I don’t like the idea of tracking of people, especially if they don’t know about it.  The potential for abuse far outweighs the benefits in most cases.  Whether it’s a spouse or parent abusing the tracking, someone abusing access to the vendor or law enforcement legally tracking someone, I get very nervous about what CAN happen.  So when I got the press release for Family Tracker and an offer for promotional codes, I decided it was time to bite the bullet that is my paranoia and see how a tracking program like this is used in real life. 

I travel.  A lot.  In the next few weeks I’ll be crossing the country several times and I’ll be gone from home more than I’ll be there.  I post my travel schedule on several calendars around my office, so which city I’m in is rarely a question and I use FourSquare enough that my location has never really been a mystery anyway.  But I’ve always been in control of both of these methods of tracking and giving my family a tool to tell where I am almost every moment of the day is new and interesting experience for me.  I suspect that my wife will look me up once or twice and then ignore the application 99% of the time.  But she has surprised me before.

I’ve set it up so I can track myself and my iPhone from my iPad, so even if my wife doesn’t want to track me, I can still find out more about what the program is capable off.  And unless I do something stupid that involves the police, I doubt anyone else will want to track me.  If anyone really wants to know my whereabouts, there’s more than enough information already on the Internet to find me if someone takes the time.  This will just make it a little easier.

So through the end of the month my little social experiment will be running. After that, we’ll see.  It may be that my wife likes being able to track me.  Or she may just say, “Meh.  If I want to know where you are, I’ll just call.”  I’m almost as interested in seeing how she uses Family Tracker as I am in seeing if she thinks being able to track me is worthwhile.  I honestly don’t know which way she’ll decide.

After the break is the information the folks at LogSat sent me when I expressed interest in their product, which covers several important questions about how Family Tracker works.
Continue Reading »

2 responses so far

Next »