Security is an important topic these days. However, it’s typically only recognized as important by professionals. If security were to suddenly turn into a mainstream selling point, though, then perhaps it’d make more sense for companies like Intel to promote it.
The Advanced Encryption Standard (AES) has already been adopted by the United States government—including the NSA—along with many other institutions. Intel’s 32nm Clarkdale-based CPUs (only the Core i5-600-series, so far) now promise significant performance benefits for AES encryption and decryption via new instructions. Today we’re looking at the real-world benefits of Intel’s AES-NI functionality, comparing a dual-core Core i5-661 with AES New Instructions (AES-NI) to a quad-core Core i7-870, which lacks the new encryption acceleration capability.
Encryption is used much more intensively than you might suspect. Consider Internet sites that hold you sensitive personal information, or utilize sensitive data for transactions. They all use protocols like Transport Layer Security (TLS) or Secure Sockets Layer (SSL). VoIP, instant messaging, and email may also be protected with these protocols. Virtual Private Networks (VPNs) and electronic payments are other popular encryption applications.
However, TLS and SSL are cryptographic protocols for secure communication, while AES is a general-purpose encryption standard. It can be used to encrypt individual files, data containers, archive files, entire drives (including thumb drives), and even multi-drive volumes. AES can be implemented in software, and there are products based on hardware acceleration as well, since encryption/decryption represent a rather significant workload. Solutions like TrueCrypt or Microsoft’s BitLocker, which is part of Windows Vista and Windows 7 Ultimate, are capable of encrypting entire partitions on the fly.
(for the rest of the first page, and all the other pages, hit up Tom’s)
It worked fine for me in Windows 7 on the first shot. While I’d already been using Cygwin, the instructions were clear, though I did follow the Vista section at step 5. The version I used was dated November 18, 2009.
jsSHA is a JavaScript implementation of the entire family of SHA hashes as defined in FIPS 180-2 (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512) as well as HMAC. Despite JavaScript not natively supporting 64-bit operations, SHA-384 and SHA-512 are even implemented! jsSHA is also 100% cross-browser compatible.
jsSHA Security Blog
Got feedback on jsSHA? Want to read about how to use jsSHA? Check out the developer’s Blog and leave feedback!
Newest Release / Download
As of 22 July 2009, the newest release is v1.2 and can be found at SourceForge
N.B. I was sorely tempted to post an image relating to the futility of trying to contain crypto / ideas that was penned on flesh, in an image titled “howto-export-crypto-system-from-usa.jpg” (!)
$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected
DECEMBER 17, 2009
By SIOBHAN GORMAN, YOCHI J. DREAZEN and AUGUST COLE
WASHINGTON — Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.
Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.
U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, the intercepts could give America’s enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under U.S. surveillance.
The drone intercepts mark the emergence of a shadow cyber war within the U.S.-led conflicts overseas. They also point to a potentially serious vulnerability in Washington’s growing network of unmanned drones, which have become the American weapon of choice in both Afghanistan and Pakistan.
The Obama administration has come to rely heavily on the unmanned drones because they allow the U.S. to safely monitor and stalk insurgent targets in areas where sending American troops would be either politically untenable or too risky.
The stolen video feeds also indicate that U.S. adversaries continue to find simple ways of counteracting sophisticated American military technologies.
U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.
In the summer 2009 incident, the military found “days and days and hours and hours of proof” that the feeds were being intercepted and shared with multiple extremist groups, the person said. “It is part of their kit now.”
A senior defense official said that James Clapper, the Pentagon’s intelligence chief, assessed the Iraq intercepts at the direction of Defense Secretary Robert Gates and concluded they represented a shortcoming to the security of the drone network.
“There did appear to be a vulnerability,” the defense official said. “There’s been no harm done to troops or missions compromised as a result of it, but there’s an issue that we can take care of and we’re doing so.”
Senior military and intelligence officials said the U.S. was working to encrypt all of its drone video feeds from Iraq, Afghanistan and Pakistan, but said it wasn’t yet clear if the problem had been completely resolved.
U.S. Air Force U.S. enemies in Iraq and Afghanistan have used off-the-shelf programs to intercept video feeds from Predator unmanned aircraft.
Some of the most detailed evidence of intercepted feeds has been discovered in Iraq, but adversaries have also intercepted drone video feeds in Afghanistan, according to people briefed on the matter. These intercept techniques could be employed in other locations where the U.S. is using pilotless planes, such as Pakistan, Yemen and Somalia, they said.
The Pentagon is deploying record numbers of drones to Afghanistan as part of the Obama administration’s troop surge there. Lt. Gen. David Deptula, who oversees the Air Force’s unmanned aviation program, said some of the drones would employ a sophisticated new camera system called “Gorgon Stare,” which allows a single aerial vehicle to transmit back at least 10 separate video feeds simultaneously.
Gen. Deptula, speaking to reporters Wednesday, said there were inherent risks to using drones since they are remotely controlled and need to send and receive video and other data over great distances. “Those kinds of things are subject to listening and exploitation,” he said, adding the military was trying to solve the problems by better encrypting the drones’ feeds.
The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.
Last December, U.S. military personnel in Iraq discovered copies of Predator drone feeds on a laptop belonging to a Shiite militant, according to a person familiar with reports on the matter. “There was evidence this was not a one-time deal,” this person said. The U.S. accuses Iran of providing weapons, money and training to Shiite fighters in Iraq, a charge that Tehran has long denied.
The militants use programs such as SkyGrabber, from Russian company SkySoftware. Andrew Solonikov, one of the software’s developers, said he was unaware that his software could be used to intercept drone feeds. “It was developed to intercept music, photos, video, programs and other content that other users download from the Internet — no military data or other commercial data, only free legal content,” he said by email from Russia.
Officials stepped up efforts to prevent insurgents from intercepting video feeds after the July incident. The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes. Additional concerns remain about the vulnerability of the communications signals to electronic jamming, though there’s no evidence that has occurred, said people familiar with reports on the matter.
Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.
In an email, a spokeswoman said that for security reasons, the company couldn’t comment on “specific data link capabilities and limitations.”
Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator’s price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.
“There’s a balance between pragmatics and sophistication,” said Mike Wynne, Air Force Secretary from 2005 to 2008.
The Air Force has staked its future on unmanned aerial vehicles. Drones account for 36% of the planes in the service’s proposed 2010 budget.
Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.
Yes, security lapses like this are unfortunately all too common. It is easy to see why there’s a need for hardware based encryption here. How much would it really cost to add an ASIC with something at least of the level of 256 bit Twofish, or AES, etc. While the tactical value of the drone video may decay pretty quickly, perhaps we don’t want any random folks reviewing an entire day’s video feed in, say, 10 years.
It’s high time that folks consider any public venue to be “compromisable”, whether wireless, or wired (copper, fiber, etc.) If many business require the use of strong crypto (often via VPN) from your laptop back to the company office before you can even browse to an intranet https-secured site, perhaps this should be a clue for standards in other places, too.
From: Bruce Schneier<schneier@schneier.com>
Date: Mon, Dec 14, 2009 at 22:41
Subject: CRYPTO-GRAM, December 15, 2009
To: CRYPTO-GRAM-LIST@listserv.modwest.com
In this issue:
Terrorists Targeting High-Profile Events
Eric Schmidt on Privacy
News
A Taxonomy of Social Networking Data
The Psychology of Being Scammed
Schneier News
Reacting to Security Vulnerabilities
** *** ***** ******* *********** *************
Terrorists Targeting High-Profile Events
In an AP story on increased security at major football (the American variety) events, this sentence struck me: “‘High-profile events are something that terrorist groups would love to interrupt somehow,’ said Anthony Mangione, chief of U.S. Immigration and Customs Enforcement’s Miami office.”
This is certainly the conventional wisdom, but is there any actual evidence that it’s true? The 9/11 terrorists could have easily chosen a different date and a major event — sporting or other — to target, but they didn’t. The London and Madrid train bombers could have just as easily chosen more high-profile events to bomb, but they didn’t. The Mumbai terrorists chose an ordinary day and ordinary targets. Aum Shinrikyo chose an ordinary day and ordinary train lines. Timothy McVeigh chose the ordinary Oklahoma City Federal Building. Irish terrorists chose, and Palestinian terrorists continue to choose, ordinary targets. Some of this can be attributed to the fact that ordinary targets are easier targets, but not a lot of it.
The only examples that come to mind of terrorists choosing high-profile events or targets are the idiot wannabe terrorists who would have been incapable of doing anything unless egged on by a government informant. Hardly convincing evidence.
Yes, I’ve seen the movie Black Sunday. But is there any reason to believe that terrorists want to target these sorts of events other than us projecting our own fears and prejudices onto the terrorists’ motives?
I think judgment matters. If you have something that you don’t
want anyone to know, maybe you shouldn’t be doing it in the first
place. If you really need that kind of privacy, the reality is
that search engines — including Google — do retain this
information for some time and it’s important, for example, that we
are all subject in the United States to the Patriot Act and it is
possible that all that information could be made available to the
authorities.
This, from 2006, is my response:
Privacy protects us from abuses by those in power, even if we’re
doing nothing wrong at the time of surveillance.
We do nothing wrong when we make love or go to the bathroom. We
are not deliberately hiding anything when we seek out private
places for reflection or conversation. We keep private journals,
sing in the privacy of the shower, and write letters to secret
lovers and then burn them. Privacy is a basic human need.
[...]
For if we are observed in all matters, we are constantly under
threat of correction, judgment, criticism, even plagiarism of our
own uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future
– patterns we leave behind will be brought back to implicate us,
by whatever authority has now become focused upon our once-private
and innocent acts. We lose our individuality, because everything
we do is observable and recordable.
[...]
This is the loss of freedom we face when our privacy is taken from
us. This is life in former East Germany, or life in Saddam
Hussein’s Iraq. And it’s our future as we allow an ever-intrusive
eye into our personal, private lives.
Too many wrongly characterize the debate as “security versus
privacy.” The real choice is liberty versus control. Tyranny,
whether it arises under threat of foreign physical attack or under
constant domestic authoritative scrutiny, is still tyranny.
Liberty requires security without intrusion, security plus
privacy. Widespread police surveillance is the very definition of
a police state. And that’s why we should champion privacy even
when we have nothing to hide.
Interesting research on public reactions to terrorist threats. Not that it’s surprising: Fear makes people deferential, docile, and distrustful, and both politicians and marketers have learned to take advantage of this. http://www.schneier.com/blog/archives/2009/11/public_reaction.html
Jennifer Merolla and Elizabeth Zechmeister have written a book, Democracy at Risk: How Terrorist Threats Affect the Public. I haven’t read it yet. http://www.amazon.com/gp/product/0226520552/counterpane/
A study in the British Journal of Criminology makes the point that drink-spiking date-raping is basically an urban legend. The hypothesis is that perpetuating the fear of drug-based rape allows parents and friends to warn young women off excessive drinking without criticizing their personal choices. The fake bogeyman lets people avoid talking about the real issues. http://www.schneier.com/blog/archives/2009/11/a_useful_side-e.html
Norbt (no robot) is a low-security web application to encrypt web pages. You can create and encrypt a webpage. The key is an answer to a question; anyone who knows the answer can see the page. I’m not sure this is very useful. https://norbt.com/
Wikileaks has published pager intercepts from New York on 9/11. It’s disturbing to realize that someone, possibly not even a government, was routinely intercepting most (all?) of the pager data in lower Manhattan as far back as 2001. Who was doing it? For that purpose? That, we don’t know. http://www.schneier.com/blog/archives/2009/11/leaked_911_text.html
This research centers on looking at the radio characteristics of individual RFID chips and creating a “fingerprint.” It makes sense; fingerprinting individual radios based on their transmission characteristics is as old as WW II. But while the research centers on using this as an anti-counterfeiting measure, I think it would much more likely be used as an identification and surveillance tool. Even if the communication is fully encrypted, this technology could be used to uniquely identify the chip. http://dailyheadlines.uark.edu/16260.htm
At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data.
1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.
2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.
3. Entrusted data. This is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.
4. Incidental data. Incidental data is data the other people post about you. Again, it’s basically the same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.
5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.
Different social networking sites give users different rights for each data type. Some are always private, some can be made private, and some are always public. Some can be edited or deleted — I know one site that allows entrusted data to be edited or deleted within a 24-hour period — and some cannot. Some can be viewed and some cannot.
And people *should* have different rights with respect to each data type. It’s clear that people should be allowed to change and delete their disclosed data. It’s less clear what rights they have for their entrusted data. And far less clear for their incidental data. If you post pictures of a party with me in them, can I demand you remove those pictures — or at least blur out my face? And what about behavioral data? It’s often a critical part of a social networking site’s business model. We often don’t mind if they use it to target advertisements, but are probably less sanguine about them selling it to third parties.
As we continue our conversations about what sorts of fundamental rights people have with respect to their data, this taxonomy will be useful.
This is a very interesting paper: “Understanding scam victims: seven principles for systems security, by Frank Stajano and Paul Wilson.” Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games. (There’s no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at the Computer Laboratory of the University of Cambridge.
The paper describes a dozen different con scenarios — entertaining in itself — and then lists and explains six general psychological principles that con artists use:
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.
2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
Last month, researchers found a security flaw in the SSL protocol, which is used to protect sensitive web data. The protocol is used for online commerce, webmail, and social networking sites. Basically, hackers could hijack an SSL session and execute commands without the knowledge of either the client or the server. The list of affected products is enormous.
If this sounds serious to you, you’re right. It is serious. Given that, what should you do now? Should you not use SSL until it’s fixed, and only pay for internet purchases over the phone? Should you download some kind of protection? Should you take some other remedial action? What?
If you read the IT press regularly, you’ll see this sort of question again and again. The answer for this particular vulnerability, as for pretty much any other vulnerability you read about, is the same: do nothing. That’s right, nothing. Don’t panic. Don’t change your behavior. Ignore the problem, and let the vendors figure it out.
There are several reasons for this. One, it’s hard to figure out which vulnerabilities are serious and which are not. Vulnerabilities such as this happen multiple times a month. They affect different software, different operating systems, and different web protocols. The press either mentions them or not, somewhat randomly; just because it’s in the news doesn’t mean it’s serious.
Two, it’s hard to figure out if there’s anything you can do. Many vulnerabilities affect operating systems or Internet protocols. The only sure fix would be to avoid using your computer. Some vulnerabilities have surprising consequences. The SSL vulnerability mentioned above could be used to hack Twitter. Did you expect that? I sure didn’t.
Three, the odds of a particular vulnerability affecting you are small. There are a lot of fish in the Internet, and you’re just one of billions.
Four, often you can’t do anything. These vulnerabilities affect clients and servers, individuals and corporations. A lot of your data isn’t under your direct control — it’s on your web-based email servers, in some corporate database, or in a cloud computing application. If a vulnerability affects the computers running Facebook, for example, your data is at risk, whether you log in to Facebook or not.
It’s much smarter to have a reasonable set of default security practices and continue doing them. This includes:
1. Install an antivirus program if you run Windows, and configure it to update daily. It doesn’t matter which one you use; they’re all about the same. For Windows, I like the free version of AVG Internet Security. Apple Mac and Linux users can ignore this, as virus writers target the operating system with the largest market share.
2. Configure your OS and network router properly. Microsoft’s operating systems come with a lot of security enabled by default; this is good. But have someone who knows what they’re doing check the configuration of your router, too.
3. Turn on automatic software updates. This is the mechanism by which your software patches itself in the background, without you having to do anything. Make sure it’s turned on for your computer, OS, security software, and any applications that have the option. Yes, you have to do it for everything, as they often have separate mechanisms.
4. Show common sense regarding the Internet. This might be the hardest thing, and the most important. Know when an email is real, and when you shouldn’t click on the link. Know when a website is suspicious. Know when something is amiss.
5. Perform regular backups. This is vital. If you’re infected with something, you may have to reinstall your operating system and applications. Good backups ensure you don’t lose your data — documents, photographs, music — if that becomes necessary.
That’s basically it. I could give a longer list of safe computing practices, but this short one is likely to keep you safe. After that, trust the vendors. They spent all last month scrambling to fix the SSL vulnerability, and they’ll spend all this month scrambling to fix whatever new vulnerabilities are discovered. Let that be their problem.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Schneier on Security,” “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Alas, this is going to be a challenging Tech week, I can tell. All I can report for now is that the current revision of Acronis Trueimage Home 2010 (version number 13.0.6053) doesn’t seem to work well with my TrueCrypt’d boot partition setup, under Windows 7 x64 [Version 6.1.7600].
Back to the drawing board – I’d really like to upgrade from DriveImage XML at some point [ahem] but at least it works!
The development of DHT has reached a stage where a tracker is no longer needed to use a torrent. DHT (combined with PEX) is highly effective in finding peers without the need for a centralized service. If you run uTorrent you might have noticed in the tracker tab of your torrents that the [Peer Exchange] (PEX) row is often reporting a lot more peers than the trackers you might have for that torrent. These peers all came to you without the use of a central tracker service! This is what we consider to be the future. Faster and more stability for the users because there is no central point to rely upon.
Now that the decentralized system for finding peers is so well developed, TPB has decided that there is no need to run a tracker anymore, so it will remain down! It’s the end of an era, but the era is no longer up2date. We have put a server in a museum already, and now the tracking can be put there as well.
By moving to a more decentralized system of handling tracking (DHT+PEX) and distributions of torrent files (Magnet Links), BitTorrent will become less vulnerable to downtime and outages:
With decentralized peer acquisition, there is no central tracker that can be down.
With decentralized fetching of metadata (torrents) we don’t need to rely on a single server that stores and distributes torrent files.
I can even imagine this extended a bit to house educational video clips, distributed. Perhaps not as easily streamed, but certainly viable as a file-based video download approach. c.f. http://www.godaddy.com/hosting/word-camp.aspx for an example; not sure how much they captured, but as I’ve said there is little reason these days not to capture the vast majority of it these days, given low space costs and the huge userbase of WordPress.
The ability to configure selected volumes as ’system favorite volumes’. This is useful, for example, when you have volumes that need to be mounted before system and application services start and before users start logging on. It is also useful when there are network-shared folders located on a TrueCrypt volume and you need to ensure that the network shares will be restored by the system each time it is restarted. For more information, see the chapter ‘Main Program Window‘, section ‘Program Menu‘, subsection ‘Volumes -> Save Currently Mounted Volumes as Favorite‘ in the documentation. (Windows)
Improvements and bug fixes:
‘Favorite’ volumes residing within partitions or dynamic volumes will no longer be affected by changes in disk device numbers, which may occur, e.g., when a drive is removed or added. (Windows)
Many other minor improvements and bug fixes. (Windows, Mac OS X, and Linux)
Acronis is very confident in their new product, and I have to agree; it looks even easier to use than before, and they’ve been steadily adding features instead of Bling. It’s always a good sign when they’re willing to let you try it out for free : Acronis True Image Home 2010 Free Trial Download.
For each picture below, clicking it should show an enlarged version in a new window.
I ran through a couple of Beta testing versions before this new launch, and Acronis looks like they made the minor changes needed. I was really glad to see the launch, as I’ve been relying on this for some time since I’m running the production Windows 7 on my (windows) machines.
Acronis says : “With Acronis True Image Home 2010, rest assured that all your important data including images, music, documents and applications are well protected and can easily be recovered in the event of any disaster. Also the newest Acronis True Image Home 2010 is the best solution for moving your system to Windows 7 and storing your backups online.”
The only portion I would add is that the online backup is optional; you can still use the conventional backup mode to practically any device (DVD, network, firewire or usb hard disk, etc.)
Since I prefer to have both a local copy (external hard disk, unplugged from electrical system when not in use) as well as an offsite backup copy (online is increasingly attractive, as long as it’s well encrypted, which True Image 2010 supports) this really fits my needs.
I’m quite happy with the dual destination backup feature as well; it’s refreshing to see this brought from their Enterprise market down to a much less expensive home / home office product.
Thanks for reading this launch information and review of Acronis True Image 2010. I hope you’ll be as satisfied as I am with the newest version of their flagship product. You can download a completely functional evaluation copy for free here, or you can order the full product for $49.99 directly from the picture link below.
