TJX Breach Began With WEP Crack 164
An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.
Why isn't WEP recalled? (Score:4, Interesting)
In most industries if you ship such a flawed product, the manufacturer has some liability. They are still selling them today too.
Of course shame on TJ Max and the whole handling of this fiasco. Not that I ever did previously, but I would never shop there.
Terrorism (Score:1, Insightful)
If you continue to press your treasonous assertions you can and will be sent to Gitmo for social reconditioning: do not mess with their profit margin.
Re: (Score:2)
This is different from say, a laptop battery that by spec shouldn't burst violently into flames. When the flaw doesn't meet the spec, it is a recall. But like the 802.11N products. They conditioned the sales with PreN or something else describing how it doesn't meet
Re:Why isn't WEP recalled? (Score:4, Insightful)
Like any lock, (including WPA, no?) you can beat it with enough hardware.
If you're that paranoid, you're running a wired network anyway, right?
Re:Why isn't WEP recalled? (Score:5, Insightful)
WPA is more like a front-door with a keylock and a deadbolt. Someone could break in, but they'd have to at least take a little more trouble than pulling a coin out of their pocket like you can do with "interior" locks.
If it's something you need to be secure, then yeah, you should be running encrypted traffic over a physically secure wired connection, not broadcasting everything to the neighborhood.
Re: (Score:2)
Yet getting smacked by a bus is likely fatal in either case.
Just getting hardware that is compatible and configuring it for proper use is daunting.
Under Gentoo, my ipw3945 has been an absolute mother to get configured. Udev this, regulatory daemon that, kernel driver the other, firmware the fourth. Good thing that I'm into pain and suffering.
Re:Why isn't WEP recalled? (Score:4, Insightful)
I have talked to (business) customers who had their "son" or neighbor who is a part time rocket scientist put wireless in because they didn't want to run cables and I have cracked it while letting them tell us how secure it is. I'm not using anything special either, it is just commonly available script kiddie tools.
I'm not knocking WPA, I just know physical access to the network is a key part of any security. You wouldn't run a couple ports out to the street for anyone to connect to and do whatever. This is essentially what your doing with wireless. And once they do "whatever", you need another layer that you can detect intrusions with before the real network gets accessed in order to remain secure.
Re: (Score:2)
If you consider it difficult, I suggest you advertise for a new member of staff for the IT Dept.
Re: (Score:2)
Not every desktop operating system support the same feature in an VPN connection and some have alternative clients already installed that you have to account for. I have one setup were I need to un-install one VPN client to use another (internal conflicts and neither work with both insta
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
I've cracked WPA-PSK in under 3 minutes, but I got lucky on the dictionary key and I had, of course, gotten even luckier when I caught the initial 4 packets (amazing what happens when you power cycle an entire house
Re: (Score:2)
There isn't.
Isn't there a rainbow table you can generate against a WPA network based on it's SSID or something to that effect?
It's something like that. In answer to the grandparent post, I don't actually know *how* it works. It's something to do with not all the bits in the key being significant, but in a rolling pattern. So I suspect it's some sort of replay
Re: (Score:3, Informative)
You seem to have left something out: Cracking WPA also requires that the administrator decided to use a weak key, i.e. one that is susceptible to brute force or dictionary attacks. But if you are allowed to assume this, then any encryption is "easily" cracked. Even OTP is trivially cracked if the key sequence is easy to guess.
Re: (Score:2)
Quoting MechaBlue (from http://blogs.ittoolbox.com/wireless/networks/archi ves/cracking-wpapsk-6730 [ittoolbox.com]):
Assuming a decent utility is used, a 31 character long password of random upper- and lowercase letters and numbers results in 62^31, or 3.7x10^55 possible combinations.
If we assume 60 attempts per second, it will take more that 1.3x10^36 times the age of the universe (15 billion years) to attempt every possible combi
Why are SSNs Being Sent Wirelessly? WEP or no WEP (Score:3, Insightful)
Re:Why are SSNs Being Sent Wirelessly? WEP or no W (Score:2)
Re: (Score:3, Insightful)
If you had read the article, you would have noted this passage:
Re:Why are SSNs Being Sent Wirelessly? WEP or no W (Score:2)
Re:Why are SSNs Being Sent Wirelessly? WEP or no W (Score:2)
Re: (Score:2)
s/paranoid/sensible/
Re: (Score:2)
Re: (Score:2)
A few months ago - maybe a year ago - a bunch of my colleagues were having a chin-wag during a course at work. One is a proper radio ham (Morse code license, 10m antenna hanging out of him parents house, that sort of thing), and the other was a serious hi-fi dork (one of "silver-coated power lead" brigade). All of us were bitching about how the reception on the (FM) radio has been getting wor
Re: (Score:2)
This December 2005 blog post (the first google hit for "WPA hack") http://blogs.ittoolbox.com/wireless/networks/arch i ves/cracking-wpapsk-6730 [ittoolbox.com]
says
Fine. Bash WEP. But what's the point of killing myself getting WP
Re: (Score:2)
WEP and WPA should - by now - be entirely replaced with 802.1x at the very least. Neither of those has any business being used on a modern wireless network. I can accept that not everyone can upgrade to firmware that supports adequate security, but that only excuses the users. The manufacturers have no such excuse, because they're the
Re: (Score:2)
Re:Why isn't WEP recalled? (Score:4, Interesting)
No, the logical method is to expect some component - any component - of the security to be compromised between now and the end of use. You then have a second, wholly independent, component which must simultaneously be compromised in order to be vulnerable. You upgrade when EITHER fails. It is then virtually certain that both have not failed, so everything remains intact, and you use that lead time to perform the upgrade.
You could regard this as a variant on the Byzantine General's Problem. There, some number of components are "traitors" (in this case, compromised), yet you have to make sure that the orders (data) received come from an authorized source alone. Other variants of this problem deal with making sure that that data does not fall into the wrong hands, such as using Byzantine key distribution.
Three algorithms, three block ciphers, three hashing functions. Any one of those gets broken, simply roll onto the next in the list. If you're sneaky enough, you have some mechanism for automatically switching combinations when the key is refreshed, making it much harder for an attacker to know which combination is actually being used at the time.
Security doesn't have to be perfect to be truly secure, it just has to be impassable in the time you detect an attacker bypassing one component and the time you can replace what has been broken. The defender in a real-time situation always has the advantage when it comes to what happens next. The attacker ONLY has the advantage when it comes to what has already happened. So long as there is no usable relationship, the attacker must always lose.
Re: (Score:2)
Meanwhile, back on the simple use-case of Joe The Non-security Geek User, whose chief goal is to run a wireless network, to which no one can inadvertently connect...
Re: (Score:1)
Re:Why isn't WEP recalled? (Score:5, Informative)
Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe?
The best thing many companies can do short term is to limit the damage, by restricting the use of WEP to data that they can afford losing. But even that requires admitting flaws, and is likely to get your head chopped off for bringing the bad news.
Re: (Score:1)
Have you bothered to read the article? These kinds of devices were one of the main sources of information.
Maybe instead of being terrified and covering their ass at the expense of the company and its customers, these IT managers should do their jobs.
Re: (Score:2)
Re:Why isn't WEP recalled? (Score:4, Insightful)
I bet replacing/upgrading/changing the hardware/software that was to blame across TJX's entire corporate infrastructure would have cost much less than the $1 billion dollars that dealing with the current situation could purportedly cost.
[Rant begins here]Now I'm not saying the IT management were blameless either. But the greater issue IMHO is that IT is treated with disdain. IT managers are often treated as something to be tolerated by businesses. This is a horrible backwards, outdated mindset. Unfortunately, IT professionals seem to be doing very little to change this.
At this point, IT is vital, vital to any $10M/year or higher in revenues (to pick an arbitrary number) business. But it is often treated as though it's some glorified janitorial service. Attention MBAs, IT is not there to clean up your screwed up PC and make sure your blackberry works. Sure, that's part of their bailiwick, but until corporate managers start realizing that their business live and die by their IT infrastructure (as the TJX debacle clearly demonstrates), these mistakes will happen over and over again.
The other side of the coin are the people who work in IT itself. I don't know if it's because we were the ones who were picked on in junior high, or what. But I do know that IT professionals are the most ill-treated group of highly-skilled professionals around. Why there isn't some sort of real guild/league/association of IT professionals eludes me. Look at doctors and lawyers. They have the AMA, and the bar (forgive me if my details here aren't exactly correct, but I think my point is clear), they have specialized degrees, and they don't take sh*t from anyone. Why because they know they have unique knowledge and they expect to be compensated accordingly. And when someone tries to muck up their good racket they have going, their professional organizations lobby groups kick into high gear and start shredding whoever it is that wants to take their candy.
On the other hand, when anyone even tries to mention the idea of some formalized "union-like" IT organization, all of the IT types start screaming bloody murder, and all this weird pseudo-libertarian, free market babble starts gurgling out from their pie holes. Attention IT professionals, this isn't about political philosophy. It's about fighting, scratching, "give me my piece of the pie you *sshole" capitalism. IT professionals need to wake up and take control of their situation. I assure you the big boys at the top of the heap love watching you scramble about at their beckon call while their billions of dollars are funneled through systems you keep running with wire and glue because you don't want to rock the boat by asking for a bigger, strike that, realistic budget.
I'm not sure what the right steps would be to start moving towards forming a professional IT organization with real power (as in you can't get jack done on your computers unless you use someone from our guild anymore than you can litigate or perform surgery with out a bar certified lawyer or board certified doctor), but until that happens, IT workers will be thralls and TJX's and TSA laptop debacles, and IBM outsourcing hoo-ha's etc. will happen based solely on the whims of people who think that Excel macros are software and phone cords are what connect computers on a LAN. And just to be clear, Microsoft, ITT Tech, COMP-TIA, CISCO certifications do not cut the mustard as they do not exist to help you in anyway. The benefit you gain is a sliver of what the organizations who dole them out make from your labor.[Rant ends here]
Its our own fault. (Score:5, Insightful)
This is because as a group, we are the LEAST professional of the professional vocations. With our paper MCSE's to our lack of communication skills, our refusal in some cases to "dress for success" and sometimes questionable bathing habits. Everybody who has worked in IT knows someone personally who fits this description.
You are correct, we do need organizations to screen our professionals as much as any other field. The 'soft' skills are just as important as technical prowess to be a true professional. It always helps when people assume that instead of spending all of your free time memorizing Battlestar Gallactica scripts, that you might actually have time for a girlfriend.
We did this to ourselves.
Re: (Score:2)
I'm not sure an "organization" to certify us will help, though. It's likely to be another MCSE-like, useless paper trail to protect managers for hirinig "certified" engineersw, instead of the real necessary skill sets to do solid work.
And I've seen, recently, exactly the kind of hapless corporate security that leads to unencrypted or WEP-based wireless traffic. As a visitor at a corporate office, my jaw dropped to the floor upon discovering that they were using WEP in a first-floor of
Re: (Score:2)
Nerds are everywhere.
Re: (Score:2)
Absolutely, there are other mistreated/maligned professionals in the world. But to be fair (and please correct me if I'm wrong), if you're a pilot - you're manager can't decide to replace you with "Bob's kid who's real smart with planes". Unfortunately that's exactly what can happen in the IT field. A more likely scenario is that Bob's aforementioned progeny would be thrust upon you to
Re: (Score:2)
Very good point...perhaps this is why a Business-Centric refocus of IT resources is occurring worldwide. ITIL, ISO, and many other standards are part of the effort to ensure that IT is PART of the decision making process. I bet that TJXs IT department, if it did NOT have a seat in the boardroom, does now.
IT, like plumbing, has always been a service component, and regarded as important. Sure you need electricity to run a company, but
Re: (Score:2, Interesting)
The security issue was not the existence of WEP on the network. The issue was having a wireless network with full access to the rest of the network including financial systems etc.. (plus, as the article vaguely mentions, not implementing some other security they had available... VPN? SSL? Who knows.)
WPA (particularly WPA-PSK, which is a relatively common form of WPA, due to less support for WPA-Ra
Re:Why isn't WEP recalled? (Score:5, Insightful)
If there are older devices that only support WEP, those can be moved to a separate router and firewalled/VLAN/etc.
I wonder how much money the 'Credit Monitoring' services make out with all these breeches?
It seems to me the only solution to this is to pass strong data ownership protections for consumers. Right now, the companies place very little value on the data (except for marketing/advertising purposes), but this needs to change somehow.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Can you imagine being the IT manager who has to tell upper managment that criminals just got millions upon millions of credit card numbers and SSNs off of the network? Oh, and then tell them you n
Re: (Score:2)
God damn lack of coffee. Should read: "and you chose to do nothing."
Wii (Score:2)
Re: (Score:2)
Even Wii uses WEP. What's up with that? Saving cost for Nintendo?
The Wii is entirely capable of using WPA - provided you don't use any super-badass characters which you can't enter using the on-screen keyboard, naturally (but it does support upper+lowercase, numbers and basic punctuation).
.11B wifi adaptor, which only supported WEP - the recent "sub-1-minute" developments spurred me into buyi
However, as far as I can tell, the Nintendo DS is utterly incapable of WPA.
In fact... *fiddle, taptaptap, *poke*. Yep, since I moved my wlan over to WPA (I used to use a cruddy old
Re: (Score:2)
Re: (Score:2)
Clear data over WEP? (Score:3, Insightful)
Re: (Score:2)
Take a look at the history of PGP and Phil Zimmerman's legal troubles to see why people don't include robust security by default. It
Re: (Score:2)
Almost every piece of clothing I currently have has been purchased through Winners at some point (in Canada - a subsidiary of TJX). I am pretty much on the brink of never shopping there again either. I haven't purchased anything from them since news of this broke. And I always use credit with them - ouch.
I've never given out my postal (zip for you guys) code whenever they asked after a purchase. That makes the existing breach so much more dam
Re: (Score:2)
45 million or 200 million? (Score:3, Insightful)
Gets better, doesn't it?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
http://en.wikipedia.org/wiki/TJX_Companies [wikipedia.org]
Net income $690,420,000 (2006)
http://news.bbc.co.uk/1/hi/business/6508983.stm [bbc.co.uk]
The company also told the BBC that 100 files were moved from its UK computer system in 2003, and two files were later stolen.
However, a spokesperson admitted that the firm may never know what was in those files.
The data was accessed on TJX's systems in Watford, Hertfordshire, and Massachusetts over a 16-month period from July 2005 and covers tran
Sue? (Score:2, Interesting)
Re: (Score:2)
The IT people are not paid to take the sort of risk that involves being jailed for mistakes.
A large part of the penalty cost here is likely to be covered by insurance. This is the sort of thing that insurance companies, in their own defense, should correct. Insurance companies like to give medical exams for high value policies involving their customer's health;
in all likelihood? (Score:2)
They got lucky (Score:2, Funny)
Imagine if they had known enough to make a satellite dish [youtube.com], of sorts...
Ironic (Score:5, Insightful)
A friend of mine has a reasonable but small IT business in the UK, and recently he started pushing the wireless expertise side - setting up wireless networks, explaining why they are a bigger risk than a wired network, securing them (and what do do if you are really paranoid) and trying to guarantee QoS more by setting it up correctly. Positioning your access points properly, doing wireless scanning to pick out any interference spots etc.
No one is interested, and I don't just mean small businesses, but some quite large companies who should know an awful lot better. It's not a UK thing either, because most people believe setting up a wireless network is about popping down to the local store, picking up a Netgear, switching it on and letting Windows attach you to the nearest wireless network it can find. Astonishing.
The only thing that shocks me is that this doesn't happen all the time, because many networks are just an open invitation. I mean OK, it's not that easy because you have to watch the network traffic and find out where the useful juicy bits of data are. That isn't completely straightforward, but once you are inside an average company's network it's doable because everything tends to act as if it is safe and fenced off.
Re: (Score:1, Informative)
Re: (Score:2, Insightful)
The only thing that shocks me is that this doesn't happen all the time, because many networks are just an open invitation.
I'm with you there. It's really unfortunate that people seem to think this is an isolated incident. I mean, it's not like these guys are your average junior high kids with a laptop and some time to kill -- they are professionals. This is an industrial-strength cracking operation where people are out there in search of networks to exploit. It's a business. For every TJX that we hear about, I'm sure there are many, many more that go under the radar.
Re: (Score:2, Informative)
Re: (Score:2)
I can even take your stuff so long as I am not intending to permanently deprive you of it and I don't damage it (proving the former is obviously a tricky prospect but it is a valid defence).
Re: (Score:2)
Oooh... Muffy wants one please!
The real question is.... (Score:2)
Leave the WEP out for a moment (Score:4, Insightful)
Re: (Score:2)
Good point. What's to say that some employee, either through a plant or bribe simply plugs a wireless access point into a spare RJ-45 jack in the back room.
As for their databases, they should be shamed for not improving the security for accessing them, such as tiered levels of access (what in hell is a store employee/manager doing with full database access?), adding something like RSA SecerID pin generators and the like.
Pringles .... (Score:1, Flamebait)
Re: (Score:2)
Re: (Score:2)
well (Score:1)
Re: (Score:2)
Re: (Score:2)
Which is enough to do plenty of things.
Well, I Wouldn't Shop With Them - Ever (Score:4, Interesting)
Well, we all know how brilliant data security experts are, and I really hope that sentence doesn't mean that they are simply throwing $5 million at them. You know what consultants are like - give them enough money and they will tell you everything you want to hear, even if the reality is a horror show.
The whole bloody point of this is that you don't get to that point in the first place. Stable door, horse bolted?
What the hell were they using this wireless network for?
So they were using an unsecured wireless network to enable hand-held equipment to function - and they used this to run their day-to-day business?! Christ. At first I thought this was just some wireless network someone had plugged into the network somewhere arbitrarily, not something they actually used in day-to-day operations.
I'm not 100% sure what system is used for credit card purchases in the US now, but this highlights why I like using cash a bit more with the advent of chip and pin. I would also never, ever use a debit card in one of these things. You transmit your card details, and the pin as well. Brilliant. Access to your bank account, and that hard earned pay that just went in today. I'm slightly confused though, because surely this communication with banks would all happen on another network?
So you take no responsibility for your own systems, and you have no internal expertise? Wonderful.
That's probably the only way, because some companies simply believe they don't have to take responsibility for IT, data, security and especially wireless security. It's something that is best swept under the carpet, and setting up a wireless network is as easy as spending a bit of money on a little access point you've seen at a local store, right? Why spend money doing it properly?
trillion dollar three-piece cluster-fuss (Score:2)
The entire credit industry is complicit in the design of the credit-card as an open invitation to replay attacks. Then this distract our attention from the fact that this horrendous credential is being compromised exactly in the manner the design dictates while telling us that it's *our* identities that are under fire. Let's get this straight: my indentity remains secure, it's only my credit-card credential is additionally compromised with every use.
The central problem here is the architecture of the huma
WEP != VPN (Score:2)
If you're building a wifi link, you really should be using VPN over your WPA (not WEP!) link. If this was a database backup between servers then the protocol they were using should have been secure (SCP). If it was a client acces
Re: (Score:2)
When you want to use a wireless scanner or handheld terminal (as was the case in this shop) you can yell 'use a VPN' but what if the device does not offer that option?
Similarly, when you want to link two offices using a point-to-point wireless link bridging between switches, where do you implement the VPN? You would need to put routers inbetween, an extra purchase.
So it is not always that simple.
Re: (Score:2)
A system that allows that path just shouldn't even exist, VPN or no VPN.
Put Management's Data In The Databases (Score:5, Interesting)
Re: (Score:2)
The real issue isn't WEP, though. (Score:3, Insightful)
Yes, WEP is insecure for real stuff. It's like the little latch on a high school display case. It's to keep honest people honest. It shouldn't be used in a commercial network as the only encryption.
But what the heck kind of network design allows IPs from local stores direct access to central databases? The big issue here isn't that a few dozen or hundreds of cards were snagged by being sent through WEP -- we don't know, maybe the company ran a tunnel across that WEP link for those transactions, and they didn't get anything locally. The big issue is that it looks like the company was storing historical data on transactions online, and in databases that apparently were accessible from that link. WEP was a weak entry point to the network. But where was the security inside the network?
It sounds like possibly either the designers of the overall network hadn't limited access sufficiently to just IPs/MACs from their account department, on a secure network, or the hackers managed to break through security layers in between, perhaps by knocking over a server that was straddling networks or something. If they designed in layers, with firewalls as gatekeepers between layers and IDS and IPS monitoring, I don't think they would have servers straddling, to start. IDS and IPS would also help them notice, for example, if someone spoofed an email from a store to an accounting department person, included a trojan, and attempted to gain access that way.
I'm saying this not so much just to point out what sound like potential design issues with this company's networks, but to get people thinking about their own networks, instead of blowing this off as a WEP issue. If you administer a small network, and haven't had training on how to set it up and maintain it securely, you ought to look into Cisco's SAFE blueprint at bare minimum. It's free and the lessons can be applied to almost any brand of networking gear out there. It basically builds the network up from modules, which are easy to figure out. If you're administering a large network, well, as someone with CCSP training, I'd suggest you hire someone who's been properly trained, obviously. Cisco's track or someone else's. At the very least, everyone should consider thinking in terms of layers, like an onion, and discreet modules residing in, but not crossing, those layers. You should be really wary of any packets from across any WAN link to your core systems, obviously, but you should also set up security policies so that you know which administrative departments have access to which internal networks, too. Ask yourself, if an attacker can get into my network, what can he or she do?
One last thing: network security can't just be set up and left. It has to be monitored and maintained, both to respond to immediate attacks, and to see when people are just poking around, doing reconnaissance.
RBC Visa (Score:5, Interesting)
The question in my mind is, given the basic vulnerability of a long-term CC number, why they don't move to something like SecureId token one-time passwords? If you can have a different six digit number every sixty seconds for five years on one device, surely the same (now public domain) algorithms could be embedded in a credit card. The infrastructure for real-time verification is already in place. With one stroke, the whole CC# theft business could be out of business, and the first mover CC company on this would have a huge marketing advantage: "No one can ever steal your Visa number again".
you can do this yourself for online transactions (Score:3, Funny)
The processors KNEW (Score:2)
Th
Re: (Score:2)
Then of course there's security in the stores themselves. We recently had a breach of the POS credit card terminals at Stop & Shop in RI and MA. In essence the perps replaced the terminals. If encryption were used, the probability of success would be much lower.
Payment Card Industry... where are you? (Score:2)
WEP is encrypted... and... (Score:2)
The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion -- not including the numerous lawsuits filed against the retailer.
Well first WEP does encrypt the link. That's kind of part of the point of it. So saying "the link was unencrypted using WEP" makes absolutely no sense. Second when I read a different article yesterday, it seemed to cite a standard open network. So there seems to be conflicting reports. In any event whether or not it had WEP or not, it still shows they should have better security. WEP *is* better than nothing, and it shows intent to hack/illegaly access the network. However, WPA(2) should always be f
Even new router encryption may not work (Score:2)
Re: (Score:2)
End to end encryption (Score:2)
IEEE members should be ashamed (Score:2)
If they made such basic mistakes in security on one standard, what prevents them to do other identical mistakes.
Sure, it tough to devise 100% secure scheme, but there is a huge difference between coming with say MD5 which took years to be broken and WEP which was seen as broken as soon as it was studied by security experts..
Re:Ok? (Score:5, Informative)
Re: (Score:2)
Re: (Score:1)
People in glass houses...
Re: (Score:1)
Re: (Score:2, Informative)
Re: (Score:2)
It could be a nuisance for you when the merchant decides to increase prices to cover for losses or to add a service charge.
(of course this is already happening, but you are going to pay more and more)
So, it still is your problem, and you want the credit card company to do something about it. E.g. end all service where two-factor