First OSX Bootkit Revealed

Trailrunner7 writes A vulnerability at the heart of Apple's Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.

Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity.

If the rootkit can close the hole

[phayes]

Then so can Apple.

From their reaction pushing out an automatically installed security patch for the recent NTP vulnerability, I'm hoping that Apple will furnish a patch before this ever becomes more than a Blackhat proof of concept.

Re:If the rootkit can close the hole

[c]

Then so can Apple.

More usefully, it sounds like the owner of the machine itself can patch it such that any Option ROMs need to be signed with their own private key rather than Apple's.

Re:

[_merlin]

If you stop option ROMs from loading, you can say goodbye to using external SAS adaptors, bootable NICs, etc. It might be OK if all you ever plug in is external displays, but you'd lose all sorts of functionality.

Re:

[rthille]

You just stop option ROMs from loading when you're patching the firmware.

Re:

[sjames]

The vulnerability only exists when the machine is booting in a special flash mode. Otherwise, the flash chip is locked making writes impossible until a reset happens before the option ROMS get run.

So only flash mode needs to disable the option ROMs. A normal boot can use them without risk of a re-flash.

Re:

[c]

If you stop option ROMs from loading, you can say goodbye to using external ...

Would it really be so terrible if the owner of the hardware could decide whether or not their device supported that kind of thing, or even which specific things it supported?

Not news

[fyngyrz]

Physical access to your machine (and/or you) can result in any number of compromises. This has been true since day one; it'll remain true well into the indefinite future (in fact, I see nothing at all coming down the pike that would ameliorate this in any way. I'm just allowing for the possibility.)

Re:

[Aighearach]

Like in the book Interface [wikipedia.org] by Neal Stephenson and George Jewsbury

Re:

[fyngyrz]

Exactly. You can also do anything you want as far as installing keyloggers and other future-action compromises.

If you require security for your data, then you need two things:

o Sufficient physical security (what that actually means depends on who you're defending against)
o Complete WAN network isolation combined with zero-executable transfer protocols. No scripts, macros, apps, nothing.

Without these things, it is simply not possible to assure security.

Re:

[rthille]

Only if they (Apple) patch it before the machine is rooted.

Re:If the rootkit can close the hole

[phayes]

If you would take the time to actually read TFA (yeah I know, heresy), you'd know that Apple has already addressed the vulnerability in recent minis & iMacs so the window is already closing.

Added to that, you need the exploit (which is closely held at present) & physical access to the Mac. This rootkit is extremely unlikely to be a problem for anyone.

Re:

[rthille]

I'd actually read the article before it hit slashdot.
Interestingly, why have they only patched it on recent hardware, when a software update (IIRC) could roll it out to most/all hardware?

Thunderbolt seems inherently insecure

[mattventura]

From what I understand, thunderbolt is essentially an external PCIe interface. That's inherently insecure. It was bad enough that Firewire gave devices DMA access, but with PCIe it will probably be 10x worse.

Re:

[DaHat]

Correct... and yes, yes it is: https://www.youtube.com/watch?... [youtube.com]

At least on a PC (which lacks Thunderbolt), opening the PC is required to exploit that vector... though there are still others... and many of them work without the need for any driver support.

Re:

[Lumpy]

No not really. I can modify the Bios from the OS on most PC motherboards.

Re:

[Carewolf]

From what I understand, thunderbolt is essentially an external PCIe interface. That's inherently insecure. It was bad enough that Firewire gave devices DMA access, but with PCIe it will probably be 10x worse.

Not bad for a desktop (assuming you don't encrypt your disks either), but a terrible idea on a laptop, and especially if you support encryption out the box. What is the point of encryption when you give even faster access to unencrypted memory with a convinient external port?

Re:

[mattventura]

On a desktop, I don't think it would be a problem. If you had a rather standard encryption scheme where you enter your passphrase on boot, it wouldn't be exploitable because someone would have to shut down the machine, stick a PCIe card in, and then boot again, thus losing the encryption key until it is entered again. It's just that laptops tend to have to have more exploitable interfaces that support hotplugging (like ExpressCard and Thunderbolt) whereas a desktop at most might have Firewire.

I'm surprise

Re:

[sjames]

IIRC, a SATA drive cannot initiate a DMA.

Re:

[Anonymous Coward]

And how is that any different from the PCMCIA / CardBus slots of the past? They were basically direct attachments to the peripheral bus too, but I guess back then nobody cared about these kinds of attacks, and it wasn't predominantly Apple using those expansions.

Re:

[mattventura]

It's no different than doing the exact same thing over Firewire, but it's a lot easier to hide an exploit in plain sight. When you exploit over something like Firewire or Thunderbolt, it could be a simple "Hey, can I charge my iPhone?". I remember an old exploit that you could do using one of the ancient Firewire iPods. That's a lot different than "Hey, can I plug this random card into your computer?" when you want to do it over CardBus or ExpressCard.

Re:

[sjames]

It's been done.

Some machines have a hardware jumper that must be set to allow flashing the BIOS. They all should.

Re:

[Anonymous Coward]

Apple now uses IOMMU to protect against DMA attacks. With it a Thunderbolt device cannot access memory it hasn't been granted. I believe Microsoft does the same with Window now as well.

It's called WireLurker, and it's already here...

[Press2ToContinue]

...infecting macs through innocent chargers and other USB devices, mostly acquired from China.

  http://www.engadget.com/2014/11/06/apple-malware/ [engadget.com]

Re:

[Jarik C-Bol]

Exactly. Physical access to the machine and all bets are off when it comes to security.

Re:

[fustakrakich]

I'm really curious what this hedge fund does that they need to do this kind of hardcore security research.

They need more bots to do those super fast trades

Re:

[_merlin]

Hedge funds employ lots of tech people. Someone has to write trading strategies, systems for getting generated orders to the brokers/exchanges, systems for assigning trades to accounts, and the glue that holds it all together. They also need an army of IT operations, support and security staff to keep the beast running.

Turn on FileVault

[pushing-robot]

FileVault 2 disables DMA over FireWire/Thunderbolt when no user is logged in or the machine is locked.

If you want an extra layer of security, execute this command:

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

...and your Mac will erase its decryption key from RAM every time it goes to sleep.

Re:

[DaHat]

Is FileVault 2 enabled out of the box? If not... it's too late for most users.

Re:Turn on FileVault

[DaHat]

You now know about this issue and can do it to your Macs... and that of your family & friends... but what about all of those people who do not have a person like you? How do they get the fix?

Short of a mandatory update that is pushed down even on devices that opt out of automatic updates... how do you propose to push such a change?

So yes... too late. If the device leaves the factory in an insecure state, a significant number of units are basically guarenteed to remain that way until they are decommissioned years from now.

Re:

[Em Adespoton]

You now know about this issue and can do it to your Macs... and that of your family & friends... but what about all of those people who do not have a person like you? How do they get the fix?

Short of a mandatory update that is pushed down even on devices that opt out of automatic updates... how do you propose to push such a change?

So yes... too late. If the device leaves the factory in an insecure state, a significant number of units are basically guarenteed to remain that way until they are decommissioned years from now.

You don't seem to understand The Apple Way. Apple users in general don't disable automatic updates.

However, on Macs, some security updates are pushed to the systems as you describe. And beyond that, Apple has XProtect, which can push out-of-band updates even faster. This can be a headache for rolling macs out to the enterprise, as Apple sometimes (rarely) pushes fixes that local IT isn't prepared for.

Added to that, automatic updates are rarely avoided by Mac users.

Who these things will really affect are

Installed, yes

[SuperKendall]

As noted it's as simple as enabling it.

Most users will not, but then most also do not need to worry about someone physically capturing the system and installing malware then returning it...

Re:

[exomondo]

As noted it's as simple as enabling it.

How does filevault protect you from this? Filevault is fine once the OS is loaded but this attack occurs long before that.

Re: Installed, yes

[iluvcapra]

FileVault adds a bunch of secondary behaviors not related to the system drive. The advertised feature is system drive encryption, but it's effectively a "paranoia" mode for Macs.

When you're running FileVault, if no one is logged in, the machine will refuse to communicate with ANY attached external device, over thunderbolt or USB or anything else, but for one "main" display and the keyboard and mouse. Also the machine shuts itself down if it's left unattended with no one logged in for more than a few minute

Re:

[exomondo]

When you're running FileVault, if no one is logged in, the machine will refuse to communicate with ANY attached external device, over thunderbolt or USB or anything else, but for one "main" display and the keyboard and mouse.

No, this attack happens before FileVault starts running.

Re:

[iluvcapra]

If you turn on FileVault 2, the power-on and boot behavior of the system is also changed. External USB and Thunderbolt devices aren't mapped into the system until a valid user logs in. When the Mac boots to the login screen, only the keyboard, mouse, and the "main" display ports work; plugging stuff into the USB ports on the grey login screen doesn't work, they don't light up, the system doesn't access them, try it some time!

So, if a stranger has physical access to your machine, they won't be able to get

Re:

[exomondo]

If you turn on FileVault 2, the power-on and boot behavior of the system is also changed.

Ok, I haven't been able to find the information on that, but what I did see is that performance degradation is in the 20-30% range, which would dissuade most people from using it.

If you install a hacked Thunderbolt adapter and let it be connected during a firmware update, while you're logged in, you're screwed.

Yeah i'd imagine that would be a fairly easy thing to do, swap out a legitimate one for a hacked one, users would be wary about plugging in USB sticks but probably not so much about port adapters.

Re:

[pushing-robot]

During the Mac OOBE it prompts you to turn it on.

And if you *don't* encrypt your hard drive or set a firmware password, it's not like anyone with physical access needs a fancy thunderbolt bootkit to compromise your PC.

Re:

[vux984]

And what about when the machine is unlocked?

Re:

[pushing-robot]

Then the attacker types cp -R / /Volumes/NSA\ Data\ VacuumTM/

Re:

[vux984]

You simply take out your sidearm and shoot them as they sneak up and attempt to plug their Thunderbolt hacking gadget in

And what if the thunderbolt hacking gadget is the external hard drive you ordered, that was modified before you received it?

Re:Turn on FileVault

[pushing-robot]

Sorry to reply to myself, but after reading the full details on this vulnerability it's not like the previous Thunderbolt exploits I've seen, and my prior advice may not be sufficient protection.

It uses a string of vulnerabilities to flash itself into the firmware using Diagnostic Mode, which exists outside the protection of FileVault. To fully secure yourself you probably need to set a firmware password... not as easy as turning on FileVault, but it should only take a couple minutes on a modern Mac: instructions [tutsplus.com]

Hopefully Apple will take steps to close the vulnerabilities but it's not likely to affect many people; it requires prolonged physical access to the machine, multiple reboots and connection of hardware, and finally the cooperation of the user (logging in again) for the attacker to steal any useful information. Virtually any machine could be compromised under the same circumstances.

Re:

[bugnuts]

One of the big issues is recently "I'm going to scan your computer" stops at the border.

They can simply attached a thunderbolt drive and completely own your computer and there's not a thing you can do.

Re:

[l0ungeb0y]

Thank god I enabled FileVault on my shiny new MBP the day I got it. I'll research your recommended CLI command -- but from what I can make of it, it looks good.

Re:

[AHuxley]

Once control over a computer is lost, any actions during daily use can be networked.
The users computer loads some extra new software and is now more networked. A wide open path with access to load and then update any software.
Any use of any data stored or encrypted is then opened to any new logging or spyware installed as the user would do during normal use. New logging or spyware installed with the same everyday accounts and applications in use. Antivirus or an outgoing software firewall would just be

Re:

[halivar]

When you learn the skills needed for this level of hacking, you get to keep those skills. It's like asking a chef why he bothers preparing food when it's just going to get eaten. There are a lot of good reasons: it's fun, it hones skill, and if you're really good you advance your entire profession, and when you've done it enough you pass on your knowledge to your sous chef.

Re:

[Noah Haders]

also you can get paid to do it.

Re:

[disambiguated]

so much work put into finding and exploiting one tiny little thing that, like you said, is destined to be patched

And yet all that work is the reason it's destined to be patched.

Re:

[disambiguated]

the level of effort to actually generate an exploit that works regularly is the point of diminishing returns

You would think so, but experience has shown that without a working proof of concept exploit, software vendors dismiss the vulnerability as theoretical, downplay the severity, or outright ignore it. Sometimes they even ignore vulnerabilities with working exploits, if it isn't actually being exploited in the wild (that anyone knows about). And a working exploit is useful for testing your own systems.

Re:

[mlts]

What I've wondered about is something that was present on Compaqs back in 1993-1994 -- an "enable flash" jumper.

Having this would put a kibosh on flashing option ROMs without the user knowing. Of course, there is always the dancing bunny attack, where a pr0n site asks a user to follow some detailed instructions before downloading a codec, or a dodgy device from China won't work unless the user follows directions (including flipping that jumper and disabling signature enforcement.) However, a master switch

Re:

[Em Adespoton]

Unless you're going to factory-reset every time you leave you machine unattended it won't actually help you avoid this, it will only help you recovery once you detect it.

Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.

Re:

[davidwr]

Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.

1) The attacker would have to have physical access to the device to do the factory reset. Either that or trick the user into getting out the screwdriver.

2) Applying a subsequent factory-reset would remove any malware installed by the attacker. Data loss would result, but at least you wouldn't have a permanently-compromised machine.

Re:

[Em Adespoton]

Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.

1) The attacker would have to have physical access to the device to do the factory reset. Either that or trick the user into getting out the screwdriver.

2) Applying a subsequent factory-reset would remove any malware installed by the attacker. Data loss would result, but at least you wouldn't have a permanently-compromised machine.

1) The attacker already needs physical access to the device to perform this attack.

2) As someone else said, unless you factory reset each time you use your computer, this is useless (as you won't know if the malware is installed until you perform a reset). After a reset, you would of course have to apply all the patches again before you could use your system safely.

You misunderstand the purpose

[davidwr]

The purpose of a factory reset is not to give 100% protection. It is not to mitigate all of the damage caused by the attack. It is to provide a way to rescue the hardware once the threat has been identified and means of re-infection have been gotten rid of. In other words, it's to save the cost of buying replacement hardware for a box that would otherwise be deemed "never to be trusted again."

Here are two examples:

1) A rouge employee tampers with a USB/Firewire/Thunderbolt device and uses that to infect

Re:

[Em Adespoton]

I understand the purpose... the problem is that it opens up an attack surface such that you can't trust your hardware anymore.

Now one thing that WOULD be useful in this specific situation is to have the flashing code separate from the EEPROM data itself, such that you can't swap out the signing key and lock out the original manufacturer from re-flashing the device. This would mean that a manual re-flash would always be possible. But a simple software or hardware-based "factory reset" runs afoul of the "wh

Re:

[davidwr]

how do you know the factory-reset hasn't been tampered with?

Because if it could be tampered with, then it wouldn't be a factory-reset procedure, at least not in the sense that I'm talking about.

Go back to my original comment [slashdot.org] and look for the word "immutable". I used it several times. If the "factory reset" signal is present (e.g. a jumper pin is set or a button is depressed during power-on) then the first code that gets executed is the "firmware-loading firmware" which was factory-installed and non-overwriteable. This code wipes out the existing "real firmware"

Re:

[davidwr]

it will only help you recovery once you detect it.

Bingo. No more "once it's compromised, it's always compromised" and no more "corrupt the BIOS to brick the device" attacks.

Also, buyers of used merchandise can assure themselves that the BIOS is the factory BIOS, not one that a previous owner installed.

Not as bad as I initially thought

[dbraden]

I know it's dangerous to base opinions on summaries, but the summary says "during recovery mode boots". So, at least it doesn't seem to be as bad as autorunning files on a usb stick, which used to be pretty common.

It is certainly a serious vulnerability, but considering the number of times I've done a recovery mode boot, I'm not overly concerned about it.

Re:

[david_thornley]

One early attack on Macs (back in the days of MacOS 6 or 7 or so), included having a WDEF trojan on a floppy disk. Insert it into the machine, the OS draws the window to show the disk, looks for WDEF resources in the usual order, finds the WDEF on the floppy, and executes the arbitrary code contained in that WDEF resource to draw the window (and do anything else that was in the WDEF). The original WDEF virus was actually pretty harmless on the OS it was developed on, but had bad effects with later OSes.

"Firmware"?

[fustakrakich]

Looks like it's better to call it limpware if it's so soft and easy to reprogram.

Re:

[Lab Rat Jason]

So you're asking for "resoluteware?"

Re:

[fustakrakich]

I was always wondering what happened to good old fashion ROM in a socket. If you want an upgrade, a chip can be FedExed* to you

*Google isn't the only word to be 'verb-alized'

Re:

[Jeremi]

I was always wondering what happened to good old fashion ROM in a socket. If you want an upgrade, a chip can be FedExed* to you

Upgrading that way is a little bit more difficult now that Apple glues their computer cases together. :^P

Re:

[kybred]

I was always wondering what happened to good old fashion ROM in a socket. If you want an upgrade, a chip can be FedExed* to you

*Google isn't the only word to be 'verb-alized'

Any noun can be verbed. :-)

Re:

[Noah Haders]

he's asking for turgidware

Re:

[mlts]

I like how UEFI is now on x86 machines. Ships enabled, but easily turned off if you have any technical knowledge. Some BIOS config tools even put up a warning to help ward off "dancing bunny" attacks.

Maybe Apple should see about TPMs. On most machines, they ship disabled, but easily turned on. If FileVault 2 used a TPM, this would not just provide resistance to evil maid attacks, but would stop brute force password guess attacks in their tracks, since the key decoding the VEK would be stashed in the TPM

Makes me glad I run a vintage 8 core mac pro 2,1

[jerryjnormandin]

I modified the boot.efi to allow my old mac pro 2,1 to run Mavericks. I'm glad I never upgraded. My old mac with 32gb of ram is plenty fast enough.. make -j 20... all I have to say is wow this baby can compile code fast. I also have an NVIDIA GTX 560 graphics card and a vintage GT120 for boot selection. I picked another mac pro 8 core 2,1 on ebay and built up a 32gb8 core Linux beast running linux on bare mac metal. Now that I see thunderbolt is full of security holes I bet the next generation if

My kid does magic tricks...

[sootman]

... that involve me turning around for up to 30 seconds. It's cute. The lesson here is, if you let your machine out of your sight for a while, don't be surprised if it comes back rooted. Isn't rule #1 of computer security always "If you don't have physical security, you don't have security"?

What exactly is the vector here? Give someone a thunderbolt hard drive and hope they plug it in and hope they run a firmware update while the drive is connected? Oh no, this could affect potentially dozens of people per

Re: My kid does magic tricks...

[Sez Zero]

We have several new Mac laptops at work. They don't have an Ethernet port, so all of them are connected via Thunderbolt to Ethernet adapters. All the time. It seems like Ethernet or DVI adapters would be a great vector for this attack.

Re:

[Shados]

Ever worked in an office, and one day someone reports their expensive headphones got stolen by the cleaning staff? Then _IF_ you are lucky, someone looked at the security tapes and found them out? Usually the camera's not pointing in that direction though...

Now, thats easy to see on camera, someone running away with something big. Someone clipping a tiny little device to a lap-top thats barely in sight, while cleaning? Even rewatching the security tape 10x, you may not notice it. You also may not realize th

Re:

[david_thornley]

If the building has security insufficient to catch somebody stealing my headphones, it's insufficient to keep their computers secure. Companies set their own levels of security, and frequently just trust the cleaning staff or plant-watering service or whatever.

Re:

[jones_supa]

My kid does magic tricks... that involve me turning around for up to 30 seconds. It's cute. The lesson here is, if you let your machine out of your sight for a while, don't be surprised if it comes back rooted. Isn't rule #1 of computer security always "If you don't have physical security, you don't have security"?

It's not that simple. There's multiple aspects in physical security too.

I bet that if your operating system was password-locked, it would take more than 30 seconds for your kid to mess with the data.

Because if this was a company, that extra time would also have given the security guards more time to arrive at the scene.

A (usually inactive) bootkit ships on many laptops

[caseih]

The firmware has always been a possible vector for infecting a computer with malware, and we know the NSA has done it for years. This OS X bootkit shows one method of getting the malware into the firmware. I'm sure on many PCs the NSA could just flash a new BIOS, probably with the full support and help of the firmware manufacturers.

It surprised me to learn that laptops from popular manufacturers like Lenovo ship with a piece of BIOS-based malware called Lojack. Used as a method of theft prevention, once a

Re:

[jones_supa]

It surprised me to learn that laptops from popular manufacturers like Lenovo ship with a piece of BIOS-based malware called Lojack. Used as a method of theft prevention, once activated it can infect a fresh install of Windows with tracking software.

Even if it performs "sneaky stuff" I wouldn't call it malware as it is designed to help the real owner of the laptop in case of theft.

Hackintoshes are safe right? :)

[Torp]

As they don't usually have Thunderbolt, or if they do they boot differently.

How is it not the best in this case?

[SuperKendall]

Rather someone have to have physical access to a system (then also have to put it into a firmware update mode!) to install a boot kit vs. being able to do it remote or just by plugging in a USB stick for a second.

That is "the best" currently, even if it can be better (and another poster noted you are immune if you enable FleVault).

More than that

[SuperKendall]

It doesn't require someone having physical access to a system, it requires the user to connect a compromised Thunderbolt accessory

A compromised Thunderbolt accessory connected WHILE they are also booting during a firmware update.

Hope you got a lot of patience because I've not done that in years...

Re:

[Anonymous Coward]

A compromised Thunderbolt accessory connected WHILE they are also booting during a firmware update.

No, it just needs to be connected when they reboot. That is why this is an effective evil maid style attack, all you need to do is plug in the compromised thunderbolt device and reboot.

Still wrong

[SuperKendall]

From the summary, you didn't even have to read the article:

Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update

Not sure what part of "during a firmware update" you are failing to grok. A simple reboot alone is not enough.

Re:

[sjames]

Yes, it is. The option rom checks for firmware update mode. If it isn't in update mode, it sets update mode and resets the machine. POOF, you are now booting during a firmware update.

Re:

[david_thornley]

I have two possible reactions to an evil maid attack.

Usually, I don't care about them, because they're unlikely, and represent too low a risk (probability times damage) to worry about.

When I do care about them, I assume that there is an evil maid attack, whether or not I know about it, and consider any system somebody else has had unsupervised physical access to permanently insecure.

In neither case am I all that bothered by known evil maid attacks.

Re:

[gl4ss]

being able to do it remote or "just by plugging in an usb stick" requires the machine to be up and running.

big difference.

Re:

[OrangeTide]

Wasn't everything Apple supposed to be the best?

To be the best, you only have to make sure everyone else is worse than you.

Re:

[Anonymous Coward]

Are you going to go all "no mainstream Scotsman" on us now?

Re:

[Em Adespoton]

Are you going to go all "no mainstream Scotsman" on us now?

No *true* mainstream Scotsman anyway.

But we all know that Apple Macintosh isn't a true Scotsman's name....

Re:

[Trax3001BBS]

Fsck all those people that are the reason we can't have (keep) any nice things.

I had someone come in and take my Motorola XOOM tablet, it was rooted, and 4.2 thanks to hackers who did what Motorola said wasn't possible.

I found who took it so called 911, an officer called me asking what I wanted him to do about it, I said to shoot em.
It was taken as it was meant to of been, and they checked it out, still no word.

Re:

[Zontar The Mindless]

FSFS it's to HAVE been. What have they started teaching in lieu of English in US schools?

Re:

[Trax3001BBS]

FSFS it's to HAVE been. What have they started teaching in lieu of English in US schools?

Too old to care, let alone change.

Re:

[jones_supa]

It was taken as it was meant to of been

Heh. So far I have only seen "should have" being replaced with "should of", but "to of" is certainly a new one. :)