Two-factor authentication: A Rick the Toolman episode.
Rick Howard: What a mess. I opened up my trusty password manager app this morning to fiddle with the settings on one of my accounts. I've been using LastPass for about five years now to manage all of my personal, family and professional online account relationships. My experience is probably similar to yours. During that five-year stretch, LastPass has accumulated over 500 passwords of mine. Admittedly, some of those accounts were one-and-done relationships, meaning I used the account once and never touched it again. But still, that's a lot of passwords to remember. And since we're sharing, some of those passwords aren't that good. I'm not admitting to having any 1-2-3-4-5s or I-love-yous in there. But some of them, let's just say, don't meet the requirements of the NIST digital identity guidelines special publication. And it isn't like I don't know that some of those passwords are bad. I mean, LastPass flags them with helpful warnings like, you know, that password you're using for the Critical Role website - my favorite Dungeons & Dragons website of all time - is really dumb, or you haven't changed that password in, like, 15 years. You might consider upgrading, you incompetent poser.
(SOUNDBITE OF FILM, "WILD HOGS")
Ray Liotta: (As Jack) And you're the biggest poser of them all, aren't you, Squinty?
Rick Howard: Oh, and by the way, it's a really dumb password, too.
(SOUNDBITE OF ARCHIVED RECORDING)
Unidentified Person: Oh, no.
Rick Howard: OK. OK. Those aren't actual LastPass error messages. But when I read them, that's the guilt I'm hearing in my head. And yes, I get imposter syndrome just like everyone else. I'm just saying that if a 30-year security veteran like me can't come up with NIST-certified passwords for all the accounts I need to do business with on the internet when I know better, then what hope does my 80-year-old mother-in-law, hanging ten on her iPad as she surfs the web, have with hers? There's got to be a better way. You know what? It turns out that there is. It's called two-factor authentication or multifactor authentication. And the concept has come a long way since it was invented back in the mid-1980s. That means that it's time to break out the Rick the Toolman toolbox and figure out how multifactor authentication works today.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Rick Howard: My name is Rick Howard. And I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. As I mentioned in the single sign-on episode, we have Dr. Fernando Corbato to thank for the invention of the password when he was a student at MIT in the early 1960s. It was a stopgap measure to prevent users on a mainframe from poking around each other's files and to limit mainframe computer time. Fun fact - Corbato stored the passwords in a text file, which probably provoked one of the first computer hacks ever. Allen Scherr, working on his Ph.D. at the time, found the unprotected text file, stole passwords from other students and was able to grant himself more computer time. You got to love those MIT nerds.
(SOUNDBITE OF SONG, "WHITE & NERDY")
Weird Al Yankovic: (Singing) I want to roll with the gangsters. But so far they all think I'm too white and nerdy - think I'm just too white and nerdy, think I'm just too white and nerdy. I'm just too white and nerdy - really, really white and nerdy. (Rapping) First in my class here at MIT, got skills, I'm a champion...
Rick Howard: In those early days, password authentication was weak, but it wasn't a major problem. Computer use was limited to government projects and academic research and development. There weren't a lot of people using network computers back then. But by the 1980s, with the ARPANET slowly morphing into the internet, the computer user population started to grow. And the community needed more robust authentication methods for important systems. In the mid-1980s, Security Dynamics Technologies was the first company to create a hardware token device that created one-time passwords - or OTPs - for authentication. And in 1995, AT&T patented the idea of two-factor authentication. They said that to identify an authorized user, any system needed to check at least two of three factors - something they have, like a smartphone, something they are, like a fingerprint, or something they know, like a password. But the early systems were clunky, hard to manage and only used in environments that needed the most robust security. Later, when the smartphone started to emerge in the mid-2000s, that started to change. All of a sudden, everybody had a second factor in their pocket. That led to all kinds of innovation. So I thought I would invite a guest to the CyberWire hash table to see if we could figure out, just exactly what is the current state of two-factor authentication? I'm joined by Chris Hoffman, the editor-in-chief of the fantastic website How-To Geek, a site that I watch every day. It's in my daily rotation of things to read. So Chris, thanks for coming on the show.
Chris Hoffman: Thanks so much. Great to be here.
Rick Howard: So Chris, you've been the editor-in-chief at How-To Geek for over three years now. But you've been doing tech writing for well over a decade. And here at the CyberWire, we're always interested in how people became who they are. So what was your path to get there? How did you become editor-in-chief of your famous website?
Chris Hoffman: Oh, wow. That's a great question. I mean, I've always been a bit of a computer geek. I was always very interested in technology. And also, from a young age, I really kind of enjoyed writing. And I just - at a certain point, I, you know, realized, like, hey, I could just start writing about technology online and just kept doing it and kept doing that, and just built more of an audience and built more experience and eventually just rose up through the ranks and took over the whole website.
Rick Howard: It's a common theme to most cybersecurity professionals that writing is a thing they had to be good at just to be able to explain things that they know that other smart people don't know about. So I'm glad to hear that's a major part of how you got to be who you are. (Laughter) All right. So...
Chris Hoffman: Yeah.
Rick Howard: All right. So today, we are talking about two-factor authentication. And we've come a long way from the original one-time password token device created by a company called Security Dynamics in the mid-1980s. And when I was doing some preliminary research on the history and evolution of this two-factor authentication stuff, I ran into your excellent article that you wrote back in 2017 about the various ways you can use two-factor authentication. And there's going to be a link in the show notes for those interested. And I highly recommend it. But I thought, instead of me summarizing the article, I would just bring you on and we can discuss them. So I wanted to start with describing the various methods that are out there today. And at the end, we can try to rate them on a scale from least desirable to most desirable. How does that sound?
Chris Hoffman: Yeah, sounds great.
Rick Howard: All right. So let's start with SMS verification. How does that work?
Chris Hoffman: I think this is the one that everyone has used, really, at this point.
Rick Howard: Yeah.
Chris Hoffman: I don't even know if people think of it as a two-factor authentication. It's just - you know, if you're a geek, you're into two-factor authentication. But if you're just anyone using any technology, your bank, like, you're going to get the SMS verification. You know, when you sign in with your password - you know, especially your bank - you get texted a code to your phone. And then you'll have to enter that code. So this is great because if someone gets your password, they also need to have a code sent to your phone. So if you have malware in your computer, if you have a keylogger, if you are one of the, unfortunately, many, many people who reuse passwords and then it comes out in a leak...
Rick Howard: What?
Chris Hoffman: Yeah.
Rick Howard: What are you saying, exactly? I don't know what you're talking about.
Chris Hoffman: Yeah. Unfortunately, reusing passwords is a major problem because, you know, it comes out in a leak, and there's a whole leaked database. So you have criminals that just start trying - they just automatically - OK, I'll try this username and password or this email and password combination on all these other websites. And they get into people's accounts. And that's how so many accounts are hacked, as they say. With the SMS code, like, if someone tries to get into your account, they need the code sent to your phone. So SMS verification is great. Honestly, I don't want to be one of those people who slams it. It is definitely the least secure type of two-factor authentication. However, it's still much better than nothing at all. So I think, oftentimes in technology, and security especially, there's this idea of the perfect being the enemy of the good. Or just say...
Rick Howard: That's so true. It's so true.
Chris Hoffman: People will say, oh, SMS verification is terrible. People - like, SMS verification is much, much, much better than nothing at all.
Rick Howard: So I agree with that. So it's basically, you log into a website, some account somewhere, say Twitter. And then the Twitter website sends you a text message to your phone. You put that code into the login screen. And that's how you get in. So two factors there. All right. Then email verification is very similar, except we're not using text messaging to do it. We're just using your email client to do it. Is there anything major we need to talk about there about the difference between the two?
Chris Hoffman: Not really. I mean, I think with both of them, you end up in this scenario of like, OK, well, how secure is your email? Or how secure is your SMS? How secure is your phone number? And this may not be an issue for the average person so much. But definitely, there have been some high-profile cases of social engineering. Someone goes to - let's say you have your phone number through Verizon. Someone goes to Verizon customer service and says, I'm this person. And I lost my phone. I'm going to need you to transfer my phone number to a new phone. And then they can get your SMS verification codes on their phone. So it is vulnerable to that kind of social engineering, which is a problem. And same thing for email if - you know, how secure is your email if you have malware on your computer or something like that? So both are vulnerable in that sense.
Rick Howard: So we'll talk about those in a second and rate how good they are compared to these other ones, because these other ones you mention in your article are more well-thought out, I would say. And the first one is - I'm calling it authenticator soft tokens, the Google Authenticator app or something you can get from ID.me, or if you're a gamer, Blizzard's battle.net.
Chris Hoffman: Yep.
Rick Howard: And even LastPass, the password manager app, has an authenticator. So explain how these work.
Chris Hoffman: Yep. And, you know, you can definitely go on. Like, Steam has a built-in thing...
Rick Howard: Yeah. Yeah.
Chris Hoffman: ...Like Authy, which also uses, like, Google Authenticator and stuff. Like, 1Password also has that built in. And what it's doing is it's generating the code on your phone. It's actually using, basically, a little seed token that goes in the app. And then it generates something called a TOTB - or I think it's TOTP.
Rick Howard: Yeah. It's called time-based one-time passwords, TOTPs.
Chris Hoffman: Yeah. OK. Yeah. I was about to say, time-based one-time password, but where's the B? But - so it's called TOTP.
Rick Howard: (Laughter).
Chris Hoffman: So it's generating a one-time password based on this seed. And it's generally good for, like, 30 seconds. If someone intercepts this, the code you type, they can't figure out, like, oh, what's the code going to be 30 seconds from now? So...
Rick Howard: Right.
Chris Hoffman: You have that app on your phone. And you use the app. And there's not the same risk that, oh, like, someone's going to go to Verizon or T-Mobile or AT&T - I don't mean to single anyone - or someone's going to somehow get into your email, and they're going to be able to get the code. No, because they need the seed phrase that's in the app on your phone.
Rick Howard: So it's an internet engineering task force algorithm. So it's a standard, right? And the difference between, say, these authentication apps and, say, SMS authentication is there's no code being sent in the clear, right? These things are being generated on your second-factor...
Chris Hoffman: Yeah.
Rick Howard: ...Phone - so, by design, a little bit more secure. The next one is called push authentication, and various big Silicon Valley companies have been playing around with this. Google does it. Apple does it. Microsoft and Twitter does it. What's the difference between this and the authenticator app?
Chris Hoffman: I think the authenticator apps came around first, and they were mostly adopted by geeks, I feel like. And the kind of the app-based kind of push notification is it makes it easy for just the average person to set up. If you have the Gmail app on your phone, you don't have to install Google Authenticator. And, you know, if you try to sign into your Google account, it will send you a push notification just like you get a new email to your phone and saying, hey; is this you? Are you trying to sign in? And if you tap in and say, like, yeah, this is me, then you can sign in.
Chris Hoffman: So it uses the fact that - like, why do we have to, you know, do - go through a whole two-factor authentication thing and set up a code? Like, we already have the Gmail app on your phone, or if you have an iPhone, you already have the Apple software. If you are - I don't know - my app - I'm sure Microsoft does it through some app. Twitter does it, and the same thing - you know, is this you? Like, it just asks you in the app. So it's very easy for people to set that up.
Rick Howard: So the Google way that Google does it, no codes are sent or needed. You just say, yes, it's me, when they send you that push notification. And that's how you get in. Apple's a little bit different. They do send you a code, but it's the same idea. But they don't use an app for it. It's just coming through on the iOS operating system, which I thought was interesting but still the same idea, right?
Chris Hoffman: Yeah, yeah. It's the same idea. It does give you, like, codes that confirm, like - there's always the risk that if it pops up - is this you? And then when people say, yeah, yeah, you know, go away, message - right? - this is me, then when you say, like, OK, this is actually me, you'll have to enter the code and confirm that people didn't accidentally allow access to their account.
Rick Howard: So the last one on your list is something called universal second-factor authentication. And this is the new kid on the block. Some of the big players have gotten behind this new standard. Explain what this is.
Chris Hoffman: Honestly, there's been a long road to this. I mean, anyone who is into this sort of was hearing about a Yubikey, you know, years ago. They basically had a, I guess, proprietary solution, and then it became FIDO UTF. And then now it's - FIDO2 is actually the next thing. And that's the - what everyone is jumping on now. And there's so much energy and development around FIDO2. But the idea is that there will be a USB key that you put in your computer, and you carry it with you. I mean, it can be a physical token. It can be not a physical token. You know, originally it was very much about, like, a USB key that you plugged in. Then we got the NFC, so you can tap on your phone if it doesn't have a port. And then we have the Bluetooth.
Chris Hoffman: And then now what's happening is there's a lot of talk about basically building it directly into the operating system - I think is what's going on right now with FIDO2. You know, what if it was built into Android, Mac, iPhone, Windows? - and basically have this secure key that's managed by your device that then helps you log in.
Chris Hoffman: And what's really cool about FIDO and UTF is it actually checks to make sure that you're logged into the right one. So, you know, if you are logging in, it checks to say, hey; are you actually logging into facebook.com? - because if you're not logging in, I'm not going to send the two-factor authentication code because that then prevents there from being a man in the middle attack where someone says, I am facebook.com giving a two-factor authentication code. And then you get it, and then they pass it through to Facebook, and they get in.
Chris Hoffman: As you may know, there's that check almost if you're using a password manager. One of the cool things about using a password manager - even if you know all your passwords by heart, which - I don't know how people can if you want to use unique passwords everywhere - one of the cool things about using a password manager is it will only autofill the password if you're on the correct website. So if you're on some fake website pretending to be Google, it won't autofill because it's like, this is not google.com. So that's another cool thing with web authentication and the FIDO2 stuff - is it is confirming you're on the right website before doing that.
Rick Howard: So let's talk about that - right? - the UTF standard. It's generating asymmetric keys so that the website and the token have unique relationship to each other. That's how they discover if you're on the right website or if you have the right token. Nothing else can happen unless those things match. So that's the really cool thing about it. And what you mentioned, too - there's a couple of different version of this. You could have the USB key. Like, I use a Yubikey in my own laptop for my own professional stuff, so that plugs right into the laptop via the USB port.
Rick Howard: But what I think is even more interesting is the NFC stuff, the near field communication devices. And these are the things that I've been using at my local grocery store on my phone, in my wallet app. I don't have to have my credit card with me anymore. I can just move my phone close to the NFC reader, and it validates everything. And I can use my credit card that way, so - without me having to plug in anything, which I think is very interesting.
Chris Hoffman: You can get a key that has a USB and it also has NFC so you can plug it into your laptop and use it that way. You can tap it on your phone and use it that way. Let's be honest, right? The concept of having to go buy a, like, physical USB key or a little device that you carry with you and use to sign in is very kind of geeky. There's a mass market...
Rick Howard: And I'll lose that one. If I have to put a little key on my keychain, I'm going to lose that in a couple of weeks. So that doesn't work...
Chris Hoffman: Right.
Rick Howard: ...For me. But I'm not going to lose my phone. Even I am responsible enough not to lose that thing. So I think that's where all this stuff should go to, right?
Chris Hoffman: Yeah. It's going to become kind of app-based authentication where you'll sign in. And in your phone or something at the same - like, hey, you're actually trying to sign into this pool, they're using Bluetooth, just to confirm, like, OK, is your phone near your laptop or a device that you're signing into it? And it's not just someone is five states away trying to sign in. You see the message, you accidentally tap allow, and uh-oh, you know, what happened? Like, they're confirming everything is working as intended there.
Rick Howard: So the NFC is a protocol, right? And it helps two devices communicate wirelessly when they are placed right next to each other. And the protocol says it's about 4 inches is the range. So it's like I said, using your mobile device when you walk through an airline, you know, check station, you know, that's how your mobile boarding pass works. And then devices with NFC hardware can establish communications with other NFC-equipped devices. And then they have this other thing, which I really - I find fascinating, called NFC tags. And these tags are unpowered NFC chips that when you get into proximity of a real NFC device, it gets power from that device. That is just phenomenal. And that protocol, relatively quickly developed by those Silicon Valley partners and the FIDO association.
Chris Hoffman: Yeah. I mean, it's very cool when you think about it. You know, you take a lot of stuff for granted, but yeah, it's like a little USB, like, tiny little device. It doesn't have a battery, but, you know, when you hold it up to - It's just like your credit card.
Rick Howard: Right.
Chris Hoffman: Like, if you have a NFC-powered credit card, it doesn't need a battery, but it can communicate with that - when it gets near a powered device. And it is very cool.
Rick Howard: All right. So we have SMS verification, email verification, authenticator soft tokens with authenticator apps. We got push authentication and now this universal second factor. So, Chris, let's talk about the relative merits of each. We've kind of dipped into it a little bit. I mean, just set the stage for you. If I were to put all those methods that we just talked about on a 100-mile road between two great cities of, oh, my God, this is not secure at all to nirvana on the other side, we solved security, what would be the method closest to O-M-G and why? What is the least secure of the authentication methods that we just said?
Chris Hoffman: Oh, the least secure is definitely SMS or potentially email verification. That being said, I hate to say that because if you're not using anything, please, like, at least use SMS or email verification. It's so much better than nothing. It's a straight upgrade.
Rick Howard: Yeah. I would put the email verification slightly less secure than SMS. And the reason is is that your email account is unique to the user like a password, but, you know, you can access it from anywhere. It's not something you have on your person or some kind of biometric. So it's kind of like having a second password, you know. It's better than not having any, but not by much. But then again, it's probably OK for everyday things like logging into the library or whatever. As long as you're not managing some super state secret, email verification and SMS verification are probably OK, right?
Chris Hoffman: Oh, yeah, exactly. But, of course, one of the problems is that I'm sure everyone has seen, you know, SMS verifications used by banks and, you know, utilities and the government and all these really important services. And it's kind of funny. I mean, I don't know. It's a little unfortunate. But, you know, the newer methods are generally more supported by like Google and gaming services and tech companies and all the kind of very online stuff. And it's like, well, I don't know. Like, I wish I had, you know, stronger two factor on my bank account than I do on my Google account, you know.
Rick Howard: It's a good point. So you mentioned before some of the problems with SMS verification. And you were describing one. It's called SIM swapping. And they - basically, the bad guys social engineer your phone company into moving your phone number to their bad guy phone. And that's the same process that you're going to use next year when you buy that new iPhone 14 model. So when that happens, every time you try to log in, the SMS code will be sent to the bad guys' phone instead of yours, and then they could use it to log into your account. And that's been seen in the wild. So now we know that's going on.
Rick Howard: And then the second one demonstrated in the wild also is when, you know, nefarious governments intercept SMS codes through their normal signals intelligence collection process. Right? So that, you know, in other words, spying. Right? So we know that's going on. And then the third way is when bad guys compromise the victim's SS7 telephone network and reroutes the code to their bad guy phone. For those who don't know, SS7 is the Signaling System 7 standard that defines how public telephone networks work. Some bad guys can, you know, get in there and intercept your codes. Having said all that, we were talking about this before, SMS and email's probably fine for a run-of-the-mill internet use. But if you're - you have material information you're trying to protect or if you're a spy, maybe steer clear of SMS authentication. Is that - are you following me on that?
Chris Hoffman: Absolutely. It really is, you know, everything in security is about your threat model. So you're just an average person? It's not a big deal. If you have $500 million in cryptocurrency and you have it protected by just SMS authentication, like, reconsider that because, you know, you're a pretty serious target for criminals to target if they can get through that.
Rick Howard: So the third one I'd put on the list after SMS authentication is the authenticator soft token. These are authenticator apps. This is pretty good, right? This is way closer to, you know, nirvana on our little roadmap we were talking about before. It's still susceptible to man-in-the-middle attacks if the user is tricked into entering the code into some bad guy controlled phishing site. The attack sequence is easier to do than, say, compromising that SS7 we were talking about. But this is definitely in the skillset of the modern-day cybercriminal. In order for it to be reliable, though, the attacker has to grab the code and log into your account before the authenticator changes it. So timing is critical, but it doesn't make the attack impossible, just way more difficult. Do you agree that it's third on our list of being the best secure but probably way better than the other two?
Chris Hoffman: Yeah, definitely way better than the other two. It does have that risk of - it's more susceptible to man in the middle types because it's really not confirming, are you on the correct website? And then it also has the problem of - let's say you drop your iPhone in a river. You get a new iPhone. You have the same phone number. How do you get the codes from your app? So unfortunately, generally - and this is going to be a curveball, but people don't focus on this enough. Generally, there's a way to get - be like, oh, I forgot my - I lost my app. And generally, the way that they do that is they say, OK, we'll send you an SMS or an email code.
Chris Hoffman: So unfortunately, even if you use the more strong methods, often it's possible to get around them. And it has to be because there's not really a good way for recovery to work for an average person that's using this and loses the thing. So, you know, Google actually has a super-secure program kind of intended for journalists, and it uses a key. And there's, like, no way around it. And - but generally the way those things works is if you lose your key - if you lose it, you lose your data.
Rick Howard: That's a really good point. It works great if everything is working fine. But if there's some issue because you've lost your phone or you screwed up somewhere, that's the hole in the security infrastructure that the bad guys can walk through. That's really interesting. I hadn't thought of it like that.
Rick Howard: The next one is the push authentication. This is even better. Victims have observed bad guys sending notification flooding attacks to their phone. You were mentioning this before. It's a nuisance attack. They just keep sending these push notifications, and the victim just gets tired of swiping left or whatever. And they finally just say, yes, yes, it's me, for crying out loud, leave me alone. And then that's how the bad guys get in. So that's possible.
Chris Hoffman: I don't know if I've heard of it that much in the wild. I'm sure it's possible. I'm sure it happens. It's almost a good thing because if you see that kind of thing, you think, oh, someone's trying to get access to my account. I better go change my password.
Rick Howard: Those kinds of attacks are perfect for a victim like me because, you know, I'm not paying attention, and I get busy. And I'm just like, leave me alone. Leave me alone. I'll push it. Be quiet. So, yes, I would be susceptible to that. And then the last one that's closest to nirvana in our roadmap - right? - is the UTF authentication. If you have serious security requirements compared to just surfing the net, this is the way to go, right?
Chris Hoffman: Absolutely. If you have a ton of cryptocurrency that you can part with and you want to be sure it's secure or you're a journalist or someone who's really, really important and potentially a target, it's really important to, you know, protect yourself with that type of thing. And I think the USB keys actually do work pretty well. And I think it's really exciting that that kind of thing is being used as the basis for the future for kind of everyone, the more kind of mass market and easily adoptable system that'll work through all your devices, like Microsoft, Apple, Google, getting aboard.
Rick Howard: Well, the problem today, though, is that the solution is not widely adopted and still maturing. FIDO is the alliance. It's called Fast Identity Online. They're the standards body that's pushing the UTF authentication technologies, right? But according to the 2021 Hype Cycle Chart for Identity Access Management by Gartner, Gartner puts the FIDO Alliance's efforts as still traveling down the trough of disillusionment but estimates two to five years before it reaches the plateau of productivity. I think that's about right. I expect to see more and more people glomming onto this - security people and tech people first, but then the grandmas of the world will start getting it. I think two to five years is probably right.
Chris Hoffman: I really hope so. I think we have good reason to be hopeful that that is the case this time.
Rick Howard: All right, Chris, well, good stuff. Thanks for doing this for us. So that's Chris Hoffman, the editor in chief of the fantastic website How-To Geek. Chris, thanks for coming on the show and explaining this stuff to us.
Chris Hoffman: Awesome. Thanks so much for having me.
Rick Howard: Call me crazy, but I don't think that the number of passwords that LastPass will be managing for me in the next decade will go down. With the Internet of Things growing widely and 5G networks just over the horizon for common use, the volume of accounts we will all have to manage in our personal and professional lives will just continue to grow. Authenticators, soft tokens, push authentication and U2F will be in our lives for the foreseeable future. And maybe somewhere along the road between OMG and nirvana, we might just get rid of Dr. Cobiteau's (ph) stopgap measure from the 1960s altogether.
Rick Howard: And that's a wrap. One last thing - I wrote a companion essay for this show, as I do for all the shows. But at the end of this one is a small timeline of two-factor authentication, history and evolution. You can find the link in the show notes. And I want to thank Chris Hoffman, the editor in chief of the How-To Geek website, for sitting down at the CyberWire hash table and helping us understand how two-factor authentication works.
Rick Howard: Next week I will be doing another Rick the Tool Man episode, this time on software-defined perimeter. You don't want to miss that. And as always, if you have thoughts about this week's show or any thoughts in general, send them to email@example.com. That's CSOP, the at sign, thecyberwire - all one word - .com.
Rick Howard: The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.