17
Mar 17

Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam

Just a friendly reminder that phishing scams which spoof the boss and request W-2 tax data on employees are intensifying as tax time nears. The latest victim shows that even cybersecurity experts can fall prey to these increasingly sophisticated attacks.

athookOn Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Alexandria, Va.-based Defense Point Security (recently acquired by management consulting giant Accenture) informed current and former employees this week via email that all of the data from their annual W-2 tax forms — including name, Social Security Number, address, compensation, tax withholding amounts — were snared by a targeted spear phishing email.

“I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external release of IRS W-2 Forms for individuals who DPS employed in 2016,” Defense Point CEO George McKenzie wrote in the email alert to employees. “Unfortunately, your W-2 was among those released outside of DPS.”

W-2 scams start with spear phishing emails usually directed at finance and HR personnel. The scam emails will spoof a request from the organization’s CEO (or someone similarly high up in the organization) and request all employee W-2 forms.

Defense Point did not return calls or emails seeking comment. An Accenture spokesperson issued the following brief statement:  “Data protection and our employees are top priorities. Our leadership and security team are providing support to all impacted employees.”

The email that went out to Defense Point employees Thursday does not detail when this incident occurred, to whom the information was sent, or how many employees were impacted. But a review of information about the company on LinkedIn suggests the breach letter likely was sent to around 200 to 300 employees nationwide (if we count past employees also).

Among Defense Point’s more sensitive projects is the U.S. Immigration and Customs Enforcement (ICE) Security Operations Center (SOC) based out of Phoenix, Ariz. That SOC handles cyber incident response, vulnerability mitigation, incident handling and cybersecurity policy enforcement for the agency.

Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Scammers in tax years past also have massively phished online payroll management account credentials used by corporate HR professionals. This year, they are going after people who run tax preparation firms, and W-2’s are now being openly sold in underground cybercrime stores.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

ANALYSIS

I find it interesting that a company which obviously handles extremely sensitive data on a regular basis and one that manages a highly politicized government agency would not anticipate such attacks and deploy some kind of data-loss prevention (DLP) technology to stop sensitive information from leaving their networks.

Thanks to their mandate as an agency, ICE is likely a high risk target for hacktivists and nation-state hackers. This was not a breach in which data was exfiltrated through stealthy means; the tax data was sent by an employee openly through email. This suggests that either there were no DLP technical controls active in their email environment, or they were inadequately configured to prevent information in SSN format from leaving the network.

This incident also suggests that perhaps Defense Point does not train their employees adequately in information security, and yet they are trusted to maintain the security environment for a major government agency. This from a company that sells cybersecurity education and training as a service to others.

DON’T BE THE NEXT VICTIM

While there isn’t a great deal you can do to stop someone at your employer from falling for one of these W-2 phishing scams, here are some steps you can take to make it less likely that you will be the next victim of tax refund fraud:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

Consider placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

Tags: , , , , , , , , ,

88 comments

  1. Just curious. If something like this happens. Does “Defense Point Security, LLP” lose “Defense” and “Security” from its name?

    PS. There must be some government program to protect people from the loss of their SSN. (Hint: Maybe let people change their SSN if such is the case?)

    • Careful, with the cure crowd in DC, they might just cancel social security by claiming it is the problem for existing as a prelude to shutting it down. (Or say something nonsensical like they have to shutter it because they are running out of numbers.)

    • Stopping using SSN as some sort of authentication number would be a start. No?

      • Right! The SSN is a dandy identifier but a miserable authenticator because authenticators must never be researchable.

      • For the millions of Americans 65 and over, Medicare uses our SSN as their “claim number” (=ID number). It’s on our Medicare ID cards and every letter and transaction they send out. LOL keeping it secure.

        • Millions of Americans younger than 65 (but not by much) remember the day when social security cards said “… Not For Identification Purposes”. But the government in it’s infinite wisdom decided to allow the SSN to become the de facto national ID number. Thirty years down the road, that little loss of four words of text has cost businesses and individuals billions of dollars because once that national ID number is in the wrong hands, anything of yours is open to them.

    • Accenture bought these clowns for MILLIONS of dollars. I hope the stockhokders of Accenture’s sake they have an “earn out” clause to divest distance themselves from these incompetent fools at DPS.

  2. IRS iTUNE cards (real)

    Good Article as usual !

  3. I don’t agree with DLP being an effective means to mitigate against this genre of attack — however, the point about ineffective security training is spot on.

    • DLP, properly implemented, is absolutely a positive control. Fingerprint your employee data, looks for the indicators of IRS forms, etc. DLP generally fails when non-technical management gets in the way.

    • Many years ago Marcus Ranum wrote that if security training were going to work, it would already have done so. He’s right.

      • It’s possible that he’s right. It’s also true that the vast majority of what passes for “security training” (or any training for that matter) is someone standing in the front of a room reading spectacularly dull Powerpoint presentation. No information gets transferred from the reader to the listener because the reader doesn’t have a clear idea of what he wanted to say, and the listener’s brain shut down 30 seconds after the talk started.

  4. Hope they spend some time working on education and exfiltration protection. Would hate to be the guy in charge of security for this one. Unbelievable.

  5. I followed your advice and put a freeze on my credit at the major credit reporting agencies some time ago. Recently I had to unfreeze them because we are refinancing. It was easy to contact the credit reporting agencies and unfreeze the credit reports either for a one time or a specific length of time. Was not hard and has brought me piece of mind. Thank you Brian for being such a great teacher when it comes to cyber security.

  6. On the local Austin news this morning…the City of San Marcos, TX is dealing with this right now. They had an employee in the city’s payroll dept. who fell for a phishing e-mail and released more than 800 current and former employees W-2 information.

  7. Does that mean the govt employees will get another 10 years of ID and credit monitoring?

  8. For sure, Defense Point should have it more together: especially since security seems to be their line of business and private data breaches are as common as the cold.

    BUT, the IRS should have corrected this now ubiquitous system wide security gap with all registered tax payers (individuals and companies) using reciprocal encrypted identification and communication protocols with phishing contact snares, magnets and booby-traps.

    And companies that fail to protect themselves from this type and scale of breach should have already been legally, independently accountable to use safeties. Having no security protocols in such an obviously vulnerable area should result in a fine.

  9. The IRS will always contact you by paper mail and not email. I am really surprised someone was taken in by this scheme.

    • Seems to me that it might be a good idea if the IRS had a program instated where they email everyone in their records, in order to educate everyone that the IRS will never use email, only criminals

      Just like my other idea, some part of american cyber-security ought to include a type of proactive education where all citizens are targeted with a ‘educational malware’ that if acted on will lock out their computer for one hour while displaying a message that they should have known better and explain how to avoid real spear-phishing attacks

  10. It amazes me how stupid people can be in this day and age. Even my own friends and family are absolutely clueless at whats going on out there with cyber criminals and identity theft. They just live life oblivious to anything going on in the world. Probably just like the person who gave up all these peoples w2 info. Idiots! I can not understand how anyone can be this stupid. Stuff like this makes me wonder if they were actually in on the whole scheme.

    • lets give 25 years life sentence to the person who leaked info.
      And 50 years to all it team. Lets punish them !!!

  11. This happened to one of the local school systems here in North Carolina too.
    http://www.the-dispatch.com/news/20170211/dont-take-bait-data-breach-raises-questions-about-cybersecurity The article provides a few more tips for victims, from yours truly. As CEO of a cyber security, I live in constant fear an event like this.

  12. C mon ? Who cares about this w2 thing??
    We all know its goverment own consiparcy and every
    criminals who earn a lot money are guided by goverment
    world wide secrets service agents.
    Many will not even undestood.
    all this cybercrime money goes to ISIS and for other bad guys.
    when we can stop this evil ?what is the point of all that Evil? ?
    All the world is downfall lets focus on real problems
    like terrorism in europe.
    And “hooknouse” world raping.like they did many years ago in eastern europe.
    Lets focus on things like people getting killed everyday.
    and poverty… world is like Titanic it will sink.
    specially economics will collapse.
    even if someone will expose names connections and facts…then what will change?? I think nothing..
    the world is so hopeless no hope anymore it does not matter anymore everything is going to downfall

  13. Know that company, DPS, they were so full of it and conned the government out of millions providing no capabilities. Congress should review the con artists’ (DPS’) handiwork of reporting little or no malware while the US Government was under siege.

  14. Simon Smith here, that is exactly why the entire teaching of Cybersecurity has been incorrect in most of its ways, and only experienced practitioners can see this. I have been a Senior Programmer, Investigator, Reverse Engineer, Security Expert, Counter Intelligence Expert, Corporate Shareholder, held and overseen every role in the SDLC at management level, but most importantly as the backing has been in pure expert programming, reverse engineering, security, counter intelligence and people management – the combination of all those elements formulated over 20 years equals something you cannot learn in 1 course. It is something I have over about 10 Post Graduate Cert/Dips. It is something I grew up with passion and committment, programming at 11 years old.

    It is something that allows you to practically predict what will happen and what could happen because you have grown up through the birth and lived, and breathed the consumer internet and before that already have the logic foundation mastered.

    It is something that a Cybersecurity expert MUST master and cannot be taught without mastering all other disciplines, and cannot be given in a 1 hour exam and 3 months study or a degree. It is obvious to experts who has it and who doesn’t who overuse the word “cloud” and “IoT”. It is the answer to the very question why this occurred. It is how I catch cyber stalkers and cyberscammers every day. Some syndicates worth over $50m, no IP, no clues, but with this skill.

    Mastering Counter Social engineering and realising the power of how the human is the key to any information system and how little IT Security plays in the scheme of things. It is a drop in the ocean. Cybersecurity is about people, practice, and hacking of the mind – and a real expert must be able to defend that, which includes stopping false information from being believed. Humans have always been the weakest link in any information system.

    I Simon Smith say, humans are the Cybersecurity risk of the future. We create our own terror. Think back a bit and find an article I wrote about a Virgin Airline flight and a Samsung Galaxy Note 7. Perfect example.

    “Humans are the Cybersecurity risk of the future”.

  15. Never underestimate stupidity. My wife’s company got hit last year. Thousands of W-2’s. A simple policy change would lessen this: Anyone receiving an email requesting employee data of any kind must voice verify the email before releasing anything. How about picking up the phone and contacting the sender for verification? Common sense. Is that too hard to do? Sheesh…

  16. Wow, love the band wagon “security experts” on here.. this kind of thing can happen to any organization. Just because they are a security company doesn’t make them immune to these risks. Back office employees and HR folks are not all security experts. A humbling experience for sure, but shouldn’t discredit their past performance as I know personally the work they have done and stellar reputation they have built for themselves. I’m confident they will make the necessary changes internally to prevent this from happening again. Until then, most of you in here commenting should chill out.

    • Totally agree. This could happen to any of us–we are all subject to human error.

      Sad to see that Krebs has resorted to “making a buck” off of someone else’s (a very likely occurance in all of our situations) downfall. Would be good to see better judgment on his part to use not only a little more integrity (not using an organization’s “internal only” communication), but also do some actual research to educate us beyond a threat vector we are already very aware of.

      • Human error? Of course we are. But the at the crux of error is wisdom — which is the lasting experience of learning from one’s mistakes. If we don’t learn from our mistakes, we are doomed to repeat them.

        I find it interesting that you view what I am doing as “making a buck,” and it suggests a disdain for the role of the media (at least, the independent media space, where I work).

        Of course I have advertisers on this site where I otherwise give away my content for free, but you’re mistaken if you think any (print) journalist is in it for the “bucks.”

        • @Brian: Obviously “Matt” works for Accenture or DPS and makes a buck that’s now worth with less than buck. You rock! Great article! @Matt: Good luck with a soiled resume working with clown shoes.

          • With a chosen name of “secwiz” oh who could argue. proper recon is your foundation, get facts before even thinking about attacking. yall skipped step 1. (though, maybe you were distracted by your itchy neckbeard so it’s not all your fault) … and instead, built a foundation on assumptions. that means this is a clickbait article, not a proper analysis of what actually went on. nice try though “secwiz”. Still, good points all around. main point of the article is, it can happen to anyone. so don’t feel so confident about your shiz, and then you look at the comments…. and wow.

        • Also, whether you allow this through moderation or not…to be level with you, i don’t think anyone here disdains independent media. you should keep doing what you do. it’s just obvious how easy it is, by the way these things are written, that your audience constantly misses your main points and focuses on pointing and laughing instead. that’s why most people are here. thats the only thing most people are taking away. that’s why people keep coming back. whether you like it or not, thats why people read these. to feel better about them selves and thats about it. which, is the opposite of the point you were trying to make in that this could happen to anyone, so don’t get comfortable, which is absolutely 100% correct

          • I don’t censor comments, unless they are so blatantly offensive and/or bigoted that it doesn’t have a place here. When readers file multiple comments very quickly — as you seem to have done — the system tends to flag that as spammy. Also, profanity will get your comments auto-moderated.

            So it sounds like you don’t have a problem with my story, but the comments on the story? I can’t help what reaction readers will have. And again, I don’t censor people just because what they have to say doesn’t exactly expand the discussion.

            I happen to think it’s pretty important that an organization which manages the security operations center for ICE isn’t able to stop an email full of hundreds of W-2s from leaving its networks by policy. The fact that it didn’t suggests that far more sensitive data could leak out of the company and no one would notice.

            • Brian: The DPS gang is frightened and angry because they know they are dumb, just look at them:
              https://defpoint.com/corporate-info/corporate-bios
              They can’t bribe their way out of this one like they did to land Federal contracts. The only “rube” is those guys at the aforementioned link. Keep up the great reporting.

              • You sure like running your mouth… “just look at them”? What kind of comment is that. You sound like you just didn’t make the cut or work for one of their competitors. Get a life.

                • No, it’s time to drain the swamp of your kind is all. Should’ve had more votes for $hillary to help you.

                • Nah just want the swamp drained of tax payer waste is all. Don’t take it personal. You probably aren’t dumb, you made a lot of money. Go to a warm beach and enjoy.

                  • Somehow intertwine the election into this, man you are full of credibility and wisdom. I’d love to know whose environment your “securing” to be such an expert. Someone says “cloud security” and you probably turn it into a global warming debate.

    • While the HR people possibly made an honest mistake, the dum dum boondoggles at the company watching the data and establishing security controls should’ve been knowing whisky tango foxtrot they were doing. Why the tax payers pay for this incompetent nonsense is unbelievable.

    • “Back office employees and HR folks are not all security experts.”

      Maybe not security experts.
      BUT, in a company such as we are talking about they should be trained not to fall for phishing scams. That training should be periodically reinforced with checks, such as a simulated attack to see if the training was effective.

      Come to think of it, all companies should do that.

    • “Back office employees and HR folks are not all security experts.”

      This is such a big part of the problem. Your suggesting since ‘Back office employees and HR folks’ did not get doctorates in IT that they don’t need to have enough common sense to understand what comes in through email (the most vulnerable and most used method for infection) should not be completely trusted. Too many people honestly believe they don’t need to understand ANYTHING about computers and related technologies. This is incredible! This is precisely WHY this problem is getting worse. It is why we can’t get anywhere. This kind of thinking is what stands in the way of any real fix.

      HR folks are responsible for some degree of the company’s assets, employees, and money………so why not start acting like it?

      Passing the buck and making it someone else’s responsibility is not going to solve anything.

  17. It’s happening all over, with one recently in a small (but rapidly-growing) city nearby:

    http://kxan.com/2017/03/16/hundreds-of-w2s-stolen-from-city-of-san-marcos-in-email-scam/

    I suppose the best advice to IT administrators is don’t skimp on the relevant education for people in key positions with access to the W-2 database, and try to drill into every employee’s head that such phishing requests need to be treated like the old carpenter’s adage about measuring twice before cutting something the first time — think about it and check with the ostensible sender via a secure, direct method before fulfilling such requests.

  18. World= in the world is always less money but more people.
    order to get money u got to fight for it.
    like accient game: everybody must change chairs after music is stops. But there is less chairs but more people.

  19. Write protests@gao.com to tell GAO to look at the dumb people securing (DPS) the government to eradicate this mess. Who was watching the DPS network when phish attacks inevitably occur? Who at Accenture paid them for their expertise? Going to start a fund me page to get paid, too. I’ll secure your network then fall asleep at the wheel. Dang!

  20. George MacKenzie calls his employee a victim of a phish attack. Isn’t Mr. MacKenzie the one who allowed his employee to be a victim not understanding defense security and not having proper controls? Why didn’t he write that instead?

  21. Individual W-2’s do have to be given again to employees for various legitimate reasons. The entire set of W-2s for a company with many employees? Seems unlikely. If software vendors/HR departments setup an level of authorization preventing access of the entire set, that would solve a lot of these problems.

    • A government contracted firm hired to protect the government for security use authentication? They should know better if they weren’t out spending the taxpayers’amoney laughing at us, yes! Or, they could use password encrypting of the data is another good idea . Or, using data loss prevention as mentioned in the article. Setting up email to not have phish attacks occur is another good idea. Next they need to buy a phone to call someone to get a clue. This place ought to be audited for their work with the government heavily and held personally accountable without golden parachutes for all their mistakes uncovered.

  22. IMHO: all employees who send sensitive information out in an E-mail should be fired. All sysadmins who let these kinds of attachments through their mail servers should be fired. Unless there are personal consequences hitting relevant personnel, all this talk is just an empty talk. You cannot run peaceful society without judicial system and appropriate enforcement. The same applies to computer security.

  23. People people just give up !
    All the world is full of corruption
    thiefs lias..conpiracies. lias lias.
    give up !! Leaders are too strong.

  24. It blows my mind that emailing the entire companies W-2 forms is a reasonable request,even within the company. Don’t most companies have shared drives by now? With access control on the shared drive?

    At the most, the email reply should have contained a link to the file on the shared drive containing the requested information. This is an IT LAN setup failure as much as a phishing failure and DLP failure.

    • Totally agreed, the stakeholders at any organization need to gather round and sign off on what’s at risk and then protect that. If they don’t protect their employees critical data means they are either inept, or they don’t care about their employees, or both. I bet the CEO George has a big fat paycheck from Accenture and Uncle Sam and could care less. Further, how the hell are they protecting something as important as national security?

  25. You do realize how taxes work, right? A “big fat check from Accenture and Uncle Sam”? Coherent sentences and common sense will get you far.

  26. If I got phished I’d file out a fake W-2 with this number.
    https://www.ssa.gov/history/ssn/misused.html

  27. Brian,

    With all the stories you’ve written about filing tax returns early, is there a way to do a follow-up of someone that has experienced the problem of “sorting it out” after a crook filed before them?

    I’m curious as to the process and whether or not the IRS issues duplicate refunds or tells the person that since they’ve already filed they don’t get a refund. What if you owe? Do they add the fraudulent refund total to the amount you owe? I HAVE QUESTIONS!

    Thanks…

    • Last I heard, the IRS struggles with that because they had a law to guard against phony returns. The law never envisioned people filing phony returns because (guessing) the law was established from back in the day when the idea was no one would ever figure out your social security number. So, one is only allowed to file one return. If it’s the phony one that’s filed, it’s a problem. Apparently, the fraud is so rampant of this nature that bad people are giving up the drug trade business to get in this. 60 Minutes (Google 60 Minutes IRS scammers, first hit) special where they explain the entire problem and even interview a now jailed scammer who explains how easy it was. In this scenario, in the article, it could be a nation state attack for these folks who didn’t secure their network even being in the business to do so.

  28. Wouldn’t the simplest thing be for the IRS to send a letter to the last known address if a return shows up at a new address?

    Dear holder of SSN 078-05-1120:

    We have received a filing in your name with an address that is different from last year’s filing

    123 Main Street
    Anytown, YS

    If this is in error, please contact us immediately at the address below.

    Thank you,
    The IRS

    Or, how about requiring that any refund sent to a new address be picked up in person? There would probably be certain crooks dumb enough to show up.

  29. Two things:
    First — annualcreditreport dot com is the way to get your credit reports from the bureaus if you’re a US resident.

    Second — my company has a policy saying nobody will ever use email to ask anybody else to send personal info or perform funds transfers, and saying it’s always OK to double check such instructions by voice phone or in person. It’s a good policy. It’s saved us from at least one phishing scam. It’s not hard to implement.

  30. First weneed undestood why things happening
    Guys did you know that its criminal act to have more
    then 100000$ dollars as personal money.
    that much money even billionaires don’t have.
    reason for this is coz when banks printing money
    they don’t print money for intress. They printing only
    principal coz everytime when someone borrow money
    from bank the bank printing for him just principal. But
    there no money for paying intress. Now if you born then
    once u get birth of certificate the federal reserve printing
    money for you but this money will be availble for you only
    if you have been working. Otherwise this money remains non active. More then 1000000$ only corporate or businessias can own legally. coz one person can not hold money of 10 persons principals. First rule is: billionaires dont have money.
    if they would then the will have all the money and simply we would not have any money in circlelation.
    tge same reason why its problem to be drug cartell coz law does not allow you to hold others principal.
    Now the question is how the billionaires are so rich if they dont
    have money? Answer is: they are just buffer for money.
    First rule in world: you can not steal million dollar and hold it..
    you must lend it out or invest or put it on circlelation.
    coz its bankers money and you can not own the money nobody never can own the money !!
    now when the old dept principal been payed then banks will print other principal for you to pay back the old principal Intress. Constant printing money will coz inflation it means money will loose the value but thats why federal reserve will increase the intress rate. To avoid inflation.
    fraud is just natural way to make sure the money is in circlelation. Bankers knows when money stop moving then money will loose more value. Remeber money is just liquid asset its like water. people might say that all our financial system is fraud by nature…but the question is do you know any better ways?? Im sure you dont know! Problem is p2p payments money without credit can not exisist never ever. Reason coz when we use credit free money then it has no value how we measure that how much money we can print out ? Dept is and credit is only way we can actually measure how much we can print out.
    so in law there no suc a things like stealing money..coz money you can not own. so usa economics is in so high dept that solution cant be nice. Yes fed can keep printing money but they cant rise the intress rate for ever. as we know everytime after biggest fraud booms the nation or country will have somewhat economics collapse like it was in uk when ukrainen thiefs stole banks money with zeus tool then after that we all remeber 2008
    Was economics crisis in uk. so basecly uk is bankrupted.
    Usa seems to be more tough country they still up and running…but i guess its only coz they print out mote agressively paper money. Anyways its all like titanic world economy in western countries is like titanic it will sink. But next time
    goverment will use bail in system those who have the most of wealth will be those from who the goverment will take the money to recover economics system.
    Ok guys now you know u got little economics lecture and hopefully if you are not with lamb brain you might undestood more about laws and how banking and goverment functions.
    those who say my grammar is wrong for them i say fck you.
    free person wright how he want. There is no need to follow the grammatics. As longes you know life prinvipal knowledge then you all set for life

Leave a comment