Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security It's funny.  Laugh.

Australian Police Database Lacked Root Password 214

Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
This discussion has been archived. No new comments can be posted.

Australian Police Database Lacked Root Password

Comments Filter:
  • by gcnaddict ( 841664 ) on Tuesday August 18, 2009 @09:07PM (#29114001)
    That's the smell of someone being fired.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Tuesday August 18, 2009 @09:10PM (#29114021)
      Comment removed based on user account deletion
      • Re:mmmm........ (Score:5, Insightful)

        by gcnaddict ( 841664 ) on Tuesday August 18, 2009 @10:25PM (#29114611)
        Government employees are always fired when their actions (or inaction) embarrass the nation.

        Incompetence? You're right; employees typically aren't fired for that, but causing major embarrassment is always grounds for termination.
        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Tuesday August 18, 2009 @10:46PM (#29114775)
          Comment removed based on user account deletion
        • Re:mmmm........ (Score:5, Insightful)

          by Mr. Freeman ( 933986 ) on Wednesday August 19, 2009 @02:21AM (#29115793)
          No, SOMEONE is always fired when their action causes embarrassment to the nation/their boss/etc.

          It most sure as hell IS NOT the person that should be fired.
        • by hany ( 3601 )

          Well, example from Slovakia (part of EU): When (not if, when) the minister causes too much trouble (like say stealing so much that it is impossible to cover it up) he gets kicked out. But hey, his comrades wont let him fall on the street. He gets a new job as a member of parliament - usually position with much less work but better pay.

          Now, I just wonder where is the motivation for a minister to do a good work (for the citizens).

        • Re:mmmm........ (Score:4, Insightful)

          by lena_10326 ( 1100441 ) on Wednesday August 19, 2009 @02:50AM (#29115933) Homepage

          Government employees are always fired when their actions (or inaction) embarrass the nation.

          Is president of the United States considered a government employee? Cuz... that totally messes up your comment if so.

        • by Mat'nik ( 1291540 ) on Wednesday August 19, 2009 @04:46AM (#29116433)
          0. A government employee may not harm the government, or, through inaction, allow the government to come to harm.
          1. A government employee may not harm a politician or, through inaction, allow a politician to come to harm, except where such orders would conflict with the Zeroth Law.
          2. A government employee must obey any orders given to it by politicians, except where such orders would conflict with the Zeroth or First Law.
          3. A government employee must protect its own existence as long as such protection does not conflict with the Zeroth, First or Second Law.
      • Woah! No so fast there Tex. Nobody'll get fired. Not even a reprimand. Incident reports will have to be submitted and if it is considered really, really bad, a 'problem' ticket will be requested. But that's it.

        Australian government ... Vogons aren't even in the same class.

      • by mcgrew ( 92797 ) *

        Oh, bureaucrats have been fired for incompetence in the US. Just not the politically connected ones. What I wonder is, if their IT staff is that incompetent, are the police officers as bad? It only takes one idiot to tarnish and entire organization.

    • That's the smell of someone being fired at.
    • by actionbastard ( 1206160 ) on Wednesday August 19, 2009 @01:34AM (#29115581)
      That's some really fine police work there Lou.
    • by cawpin ( 875453 )
      "Can you be charged with breaking and entering a house that has the door left wide open?"

      Um, yes, you can. Breaking doesn't mean you broke something physically. It means breaking the plane of entrance into a structure. ./ really needs to make sure their "editors" know what schitt means.
      • Re: (Score:3, Informative)

        by PRMan ( 959735 )

        Breaking and entering is the crime of entering a residence or other enclosed property without authorization and some element of force.

        Wrong. You must physically disable a security system. Otherwise,what is trespassing?

  • a legit hack (Score:5, Insightful)

    by Lord Ender ( 156273 ) on Tuesday August 18, 2009 @09:07PM (#29114007) Homepage

    They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.

    Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.

    • by billstewart ( 78916 ) on Tuesday August 18, 2009 @09:59PM (#29114393) Journal

      I hope the crackers were polite enough to give it one....

    • Re:a legit hack (Score:4, Informative)

      by rivetgeek ( 977479 ) on Tuesday August 18, 2009 @10:10PM (#29114491)
      Uh...no. The article states they just used SQL injection to insert an include to a remote php file (the idiots apparently hadnt disabled remote file includes). The included file was basically a dashboard that did directory listings and file transfers. I did a contract cleaning up a similar mess (URL-RFI Injection). The hardest part about the entire hack was probably finding the SQL injection point.
      • Re:a legit hack (Score:4, Insightful)

        by Lord Ender ( 156273 ) on Tuesday August 18, 2009 @10:13PM (#29114515) Homepage

        And? A hack doesn't have to be "hard" to be a hack. As the word is popularly used today, breaking into a computer through nonobvious (to the average person) means is hacking.

        • Re: (Score:3, Insightful)

          By your definition, visiting the FTP server I found running on your PC is hacking. Last month I opened a browser and typed "ftp://ftp.mozilla.org/" to look for an older version of Firefox. I didn't know if such a thing existed, I was just guessing. This is probably hacking, too.

      • by Capsaicin ( 412918 ) on Tuesday August 18, 2009 @11:26PM (#29115001)

        The article states they just used SQL injection

        The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:

        ... you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed.

        The journalist (Asher Moses) simply got it wrong. It happens.

        • Re: (Score:2, Insightful)

          by rivetgeek ( 977479 )
          Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.
          • Re: (Score:3, Informative)

            by Capsaicin ( 412918 )

            Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.

            It appears to be what he (or someone claiming to be him) is saying, or am I misreading him. For your benefit, I'll quote his comment in its entirety:

            @killjoy - you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed. Also, according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se.
            @k@icolo - you'll be surprised, its just human nature. It could easily have happened to security folks (such as us) as well - especially if we're not vigilant.
            @Luke | Melbourne - the point of the 4corners exercise was to demonstrate what would happen in the scenario where a wireless AP was not encrypting traffic - you may be using WPA2 but a lot of people aren't, nor would they know how to enable it.
            Posted By: Shaon Diwakar | HackLabs - August 18, 2009, 10:00PM

            How do you read that?

            Note also that he indicates that this was not an AFP machine, or a machine normally administered by the AFP, but a machine "comandeered" (which on reflection probably m

      • by Splab ( 574204 )

        How do you inject an include? To do that wouldn't that mean the programmer not only didn't parse his input for SQL, but also chose to blindly execute code coming from the database?

        • Re: (Score:2, Informative)

          by rivetgeek ( 977479 )
          Most coders don't sanitize code coming from a trusted source. They sanitize input from users, but something like a SQL injection is generally an effect of improper user-san anyway.

          Imagine you have a script that just includes a user's profile data (user.php) from a flat file (stupid i know but its an example), by entering in a remote file to a field, it might be sanitized, however in a sql injection you could over right "user.php" with http://www.evilsite.com/evilscript.php [evilsite.com]

          Myspace ran into this issue
  • by JoshuaZ ( 1134087 ) on Tuesday August 18, 2009 @09:12PM (#29114031) Homepage
    In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.
    • by conufsed ( 650798 ) <alan&aussiegeek,net> on Tuesday August 18, 2009 @09:28PM (#29114147)
      Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act
      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Tuesday August 18, 2009 @10:41PM (#29114739)
        Comment removed based on user account deletion
        • Re: (Score:3, Funny)

          Good to know. I had a feeling it was a crime for local cops to download my email. I didn't know it was a felony.

          After they started monitoring my internet connection (or rather, the internet connection I happen to use), my reaction was to stop checking my email. Obviously, email is pretty important, so not checking your email can have serious personal consequences. You might miss friends trying to get in touch or business opportunities.

          Well, the cops didn't want that, so their reaction was to start
        • Re: (Score:2, Insightful)

          by Whalou ( 721698 )

          So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.

          How can I know the felony is worth it if I can't look at his porn stash first!

    • by jasonwc ( 939262 ) on Tuesday August 18, 2009 @10:15PM (#29114537)
      To elaborate on the parent post, "breaking and entering" is often referred to as a synonym for burglary, whereas it is in fact merely two of the elements to establish burglary. Under the common law, the following elements must be met to establish burglary:

      1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)

      2) Entering (Literally entering the physical structure)

      3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)

      4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)

      5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)

      Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.

      Jason
      Yale Law School, Class of 2010
      • Re: (Score:2, Funny)

        Wait... Australia has STATES? We must be WAY behind in getting those stars on the flag
        • by jasonwc ( 939262 ) on Tuesday August 18, 2009 @10:42PM (#29114743)
          Obviously I was referring to the United States, but you are correct in your implication that I should have been more clear especially on a site as pedantic as Slashdot.
        • Re: (Score:3, Funny)

          by zonky ( 1153039 )
          Yes, they have 6. [wikipedia.org]
          • Re: (Score:2, Funny)

            by davester666 ( 731373 )

            Six states of Australian's also known as Her Majesty's Penal Colony :-)
            Committing offense
            Charged with offense
            Awaiting trial
            Convicted
            Doing Time
            On Parole

        • Wait... Australia has STATES? We must be WAY behind in getting those stars on the flag

          Yep, we've earned our stripes too.

          By the way, we've bought the rights to the Star Spangled Banner. RIAA agents on their way to your ball games this very moment.

          Some Yank owns the rights to Waltzing Mathilda, so it's only fair. RIAA might want to come to our barbecues, as we might sing it in a highly public way after a few beers. But they're nothing you can't fix with a backhoe, drunk or sober.

    • What if you are on a generic police site, and just land in there by randomly clicking on five links on the page? It is still "breaking and entering".

      What if you walk down the street, and fall into an open sewer, just to find out that it is a secret underground tunnel to a high-security government building, and there is no way to climb out, other than walking down the tunnel into the secret building?

      What if you are blind, and walk trough the open backdoor of a police headquarter's stolen goods storage room?

      O

      • by aXis100 ( 690904 )

        The distinction is usually intent. If you accidentally walk into a secret bunker with no intent, then that's not breaking and entering or burglary.

    • by Hungus ( 585181 )

      Burglary is legally defined in most states as "entering of a premsis with the intent to commit a felony"

    • "Can you be charged with breaking and entering a house that has the door left wide open?"

      NO, but you can be charged with trespassing and if you take anything, burglary. If the door was closed but not locked it would be breaking and entering. IANAL, but I just asked one...
  • by rm999 ( 775449 ) on Tuesday August 18, 2009 @09:12PM (#29114035)

    "Can you be charged with breaking and entering a house that has the door left wide open?"

    Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.

    • Re: (Score:3, Informative)

      by gandhi_2 ( 1108023 )
      IIRC, breaking means breaking the plane of entry. Not physically damaging anything.
      • by rm999 ( 775449 ) on Tuesday August 18, 2009 @09:38PM (#29114211)

        Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary [thefreedictionary.com]

        "At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."

        So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.

        • Re: (Score:3, Informative)

          by gandhi_2 ( 1108023 )
          This, I'm sure depends on what jurisdiction you are in. But...I guess we can all quote websites, right?
          From lawguru.com [lawguru.com]

          Forcible entry is distinguishable from the broader crime of "breaking and entering" which might not include any actual damage from the force used to "break" a way in, such as when one opens an unlocked door to private premises without license to do so, or tampers with a locking mechanism and later takes advantage of the defect. As such, one can assume that the "breaking" refers to breaking the plane of entry; that is, crossing the threshold of a door, window or other entryway into a building.

      • Depends on the jurisdiction. For example, in my state of Aus, last time I looked (a while ago, it may have changed),

        • Opening a closed door or gate - not locked, just closed - was enough to establish the "breaking" part
        • Walking through an open door, climbing a fence, etc was enough to be charged with "Entering without cause or reason" aka "Illegal entry", and
        • Walking through an open door or gate and looking around was enough to be charged with "Entering with intent"

        Hence "breaking and entering", "entering wi

    • by zippthorne ( 748122 ) on Tuesday August 18, 2009 @09:21PM (#29114101) Journal

      I should hope that the law is literal. "Don't be so literal" is not the kind of argument you want to hear from the prosecution at any phase of a trial. Especially sentencing. Assault and Battery are sure as damn different things, and separably chargeable.

      • Re: (Score:3, Informative)

        by rm999 ( 775449 )

        I think the difference is obvious. Would you "break" into someone's house and try to convince the judge you didn't literally break anything when you are being charged with breaking and entering? I hope not.

        I meant the name should not be taken literally, but obviously the law itself should.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Assault and Battery are sure as damn different things, and separably chargeable.

        I understand how one can charge a battery, but how does one charge an assault? Let alone why you'd have to charge them separately... ...

    • by EdIII ( 1114411 ) *

      it would be a virtual breaking and entering.

      Okay.. So do I go to Virtual Prison? Drop the Virtual Soap? Put on Virtual Lipstick?

      Just curious... :)

  • According to TFA (Score:3, Informative)

    by thatkid_2002 ( 1529917 ) on Tuesday August 18, 2009 @09:14PM (#29114041)
    TFA says that the computer was being used as a part of a (somewhat poorly executed) Sting.

    It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.

    TFS is very poorly written... it is not worthy of being a "Summary".

    • Re: (Score:3, Funny)

      I will give you a summary of the documented process they did for this then (it was on our local "4 corners" show and had me crying).

      They spoke of the Russian DDoS on the Gamboling people in the north, then they jumped around a bit listening to police officers talk a little too quietly (almost mumbling) about IT stuff (which had me cringing the entire time). Then they showed us a 20year old who looked like a try hard metalhead who was apparantly this 'leet hacker' in control of 56,000 .au credit cards.

      Fina
      • Transcript of the bit that made me cringe most quoted below. Yes, the cops make a call to get a forum post made. Seriously, what sort of credible deterrent is a police force where the elite cybercrime detectives have to call IT to make a forum post?

        NEIL GAUGHAN (national manager hi-tech operations for AFP): G'day gents how we going?

        AFP OFFICER: Morning Sir, how you going.

        NEIL GAUGHAN: Good thanks.

        AFP OFFICER: What we're gonna do is we're just gonna make a telephone call and we're goi

        • by TheLink ( 130905 )
          Could be just due to separation of duties and authority levels.

          The officers might not be allowed to post official police notices on the internet, so they get someone else with that job responsibility to do it.

          It also shifts responsibility to someone else.
  • ...nothing a few more laws won't fix.
  • by Slotty ( 562298 ) on Tuesday August 18, 2009 @09:19PM (#29114075)
    They had an entire episode on one of the current affairs TV shows here in Australia dedicated to cyber crime. The very next day this article came out.

    The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network

  • Criminal Intent ! (Score:5, Informative)

    by redelm ( 54142 ) on Tuesday August 18, 2009 @09:26PM (#29114131) Homepage

    One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.

    Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.

    The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.

  • by shacky003 ( 1595307 ) on Tuesday August 18, 2009 @09:39PM (#29114231)
    The OP is asking about being charged with anything just because the "door" wasn't on the "house" to keep them out...

    That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."
    Just because there wasn't a safeguard in place (supreme dumbasses? Why yes!) it isn't a valid legal argument (at least in the states) to plead ignorance to the
    effect that you still stole the bike, even if there was no lock securing it..

    It might be an interesting place to live if everything could be played with/used/stolen
    as long as it wasn't secured..

    As always, I may know nothing about anything, ever - and don't smoke crack.
    • One of the things which I've always wondered is how hackers know they've broken into the real-deal versus a honeypot.

      1. Faking CC numbers, names and addresses, etc... isn't that difficult. Suppose, for example, the feds impersonated a bank server, complete with fake Credit Card numbers, names, addresses, etc...
      2. Hacker downloads the database, and then sells the info.
      3. Credit card companies issue "provisional credit" to vendors when the fake card number is used. Vendor sees "provisional credit" code on appro
    • Comment removed based on user account deletion
  • by DarthBart ( 640519 ) on Tuesday August 18, 2009 @09:54PM (#29114369)

    We don't need to secure anything...we've got a...

    (Tympanic BOOM-BOOM-BOOM)

    A FIREWALL!

  • TERRIBLE analogy (Score:3, Insightful)

    by Anonymous Coward on Tuesday August 18, 2009 @10:19PM (#29114561)

    Let's get a better analogy:

    "If you broke a window (pun intended), entered the house, saw safe on the floor, turned the handle and it was unlocked, would you be breaking and entering?"

    • by Renraku ( 518261 )

      Entering someone's property without being invited is trespassing.

      Entering someone's house without being invited is usually breaking and entering.

      Gaining access to the contents of something like a safe or a drawer would establish intent for theft, since that's pretty much the only reason you'd be entering a safe or drawer anyway, or at least, that's what the expensive lawyers would be paid to prove.

      So you have trespassing, and breaking and entering in the least.

      Now, this being a computer situation, I don't t

  • Four Corners (Score:2, Informative)

    by Mr_Plattz ( 1589701 )

    I'd just like to point out that on Monday night EST, Four Corners [abc.net.au] one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.

    1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
    2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
    3. Essentially it was about Australian F

    • 2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
      But I do want to make the point: Dumb people get what they deserve (point 2),

      If there is any justice in the world, you will end up with impaired mental faculties in your old age and some scammer will take you for everything you own.

  • Where the majority of the "Dancing with the Stars," generation are concerned these days, that's about the level of competence that the police need to get the job done. People who know how to access MySQL databases at all probably aren't a large group, relative to the general population.

    • I'd be worried if their "is it secure?" test was along the lines of "is it safe from an untrained tween with an internet browser?"

  • According to the article they also used "SQL injection" except they described it wrong.

    The person made a .php file through MySQL calls, but they referred to that as SQL injection.

  • I've got a few of systems like that on my networks, except I call them honeypots.

  • by wheels4me ( 871935 ) on Wednesday August 19, 2009 @12:46AM (#29115385)
    The judges in AU are on a network that does not have a requirement that all users have passwords. Thus, many judges don't even password protect their PCs that are net-connected. It is no surprise that their db got hacked with the abysmal lack of security on the judicial network.
    • by quenda ( 644621 )

      Thus, many judges don't even password protect their PCs

      I think you may be mis-using the word "judges". Australian judges wear horse-hair wigs and wouldn't know a PC if they tripped over it. They have typists and stenographers to do that newfangled stuff.

  • by mccalli ( 323026 ) on Wednesday August 19, 2009 @02:52AM (#29115951) Homepage
    OK Slashdot, calm down...

    I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.

    So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here [mysql.com].

    The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.

    It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.

    Cheers,
    Ian
  • Can you be charged with breaking and entering a house that has the door left wide open?

    Who cares? That has about as much to do with this story as theft does with copyright violations.

  • Okay, let's get something straight..

    If a door to a house is left wide open, it is not an invitation. You can be charged with criminal trespass for entering the house - no "breaking and entering" (you watch too much TV, really) required.

    If you enter that house with the intent to commit a crime, then you've escalated to Burglary, which in my particular state is a first degree felony carrying a 20 year maximum sentence. It does not matter if you were successful in committing your crime. Simply entering the

  • Well there ya go, put people in charge that have no backgrounds in IT and let them call the shots, because they NEED to tell people what to do, we call this micromanaging. Just because it is easier to remember your dogs name, or to leave a password blank, does not mean you get to tell the network admin to make it so. His job is to enforce security, if put blinders on him or limit his power by overruling him, then don't expect for anything to be secure!!!

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...