Harvesting Whois Data for OSINT

At work I was given the task of figuring out at least one method to find some of the domains that were registered by my company’s employees but that we may not have known that they registered. Anyone can visit GoDaddy or PSI or 1and1 and register a domain. We wanted to find out anyone that that registered a domain with an “@MYCOMPANY.com” email in the domain registry. Once I figured out how to do this, I found some really interesting things!

Registering a Domain

In case you don’t know this, when someone registers a domain name like “webbreacher.com” or “osint.ninja” they use a registrar such as Go Daddy or Network Solutions who then does the work of reserving¬†the domain and tagging it as owned by a certain person/organization. There is some personal or business information that you must provide to the registrar for them to make the registration of the domain you want. Most will want your credit card info firstūüôā and also personal information such as your name, home/business address, phone, and email(s).

Personal v. Private Registrations

When you register a domain, many times you have the choice to have the registrar “mask” your personal information that you use to purchase the domain. This is helpful to keep your personal information, well, personal. Instead of using your personal data, the registrar uses their data and then keeps track, internally, who is the actual owner of the domain. For my purposes of finding out what employees are registering domains using our company email address, this masking of their info presents a problem.


One of the main tools that people use on unix, linux and Mac systems to look up the registration information about a domain is called whois. From a command line or terminal window, a user can type whois example.com and the registration information for that domain will be returned. This should include names, emails, phone numbers and more…unless the registrant is using the whois masking feature of their registrar.

Some caveats here are that whois data is many times stale, old, or just very wrong. Many registrars never check the information that is self-submitted when registering a domain. If I wanted to register insertmydomainhere.info as Barack Obama at 1600 Penn Ave, Washington, DC, there are some registrars that would be happy to take my money. Take whatever responses from whois as suspect data until verified or corroborated with other information.

Using whois is great if you want to retrieve the information about a single domain. In my case, I wanted to search ALL domains for any registration information with my company’s email address domain. Using whois for my task, I’d need to request every single domain name with whois and then scrape the results for “@example.com” to complete my task. Laborious if not impossible.


The best¬†place I found that had a reverse whois lookup that would allow the searching of whois data using registrant information AND wildcards (such as *) was the viewdns.info site. Let’s show an example using the dhs.gov domain. Using the ViewDNS¬†web page¬†at¬†http://viewdns.info/reversewhois/?q=%40dhs.gov¬†you can¬†retrieve the first 500 hits on domains having the @dhs.gov string in them somewhere. Below are some of the results.

@dhs.gov entries found in Whois records


This was a huge time saver for me. ViewDNS also has a great API to pull these records down in XML and JSON formats which are easily used in scripts and other programs.

So…I was happy and yet confused. I thought that there may be something wrong with the site. Looking at the bottom of the above picture, you can see that fema.net is a domain that has the @dhs.gov string in the registration somewhere. This makes sense since fema.gov is a DHS entity and fema.net is something DHS might register to prevent someone else from registering it and tricking users. But, did you see the farrellswebservice.com and¬†celticwarriorsmc.com domains? Those do not look like DHS domains. Let’s take the farrellswebservice.com¬†domain and do a command line whois on it.

farrellwebservice.com whois data

Well that solves it. There was no problem with the web site. Under the red arrow is the @dhs.gov email account that the viewdns.info site found: keith.farrell@dhs.gov.

Moving into OSINT

I hear some of you saying “So what?” Well, in¬†the world of OSINT we try to tie pieces of data together. Getting email addresses, phone numbers and addresses for people is key to furthering investigations. We can use this data as pivot points (additional search terms to use to find even more information about a target) to augment your OSINT data. In the above pic for the whois output of the¬†farrellswebservice.com domain, we have all of these pieces. Keith Farrell’s name, home address, phone number, personal and business email addresses are out there in the public for anyone to harvest.

So what happened here? It seems like some people use their work emails for personal registrations. While I only use my work email for work purposes, I do know people that use their work email for non-work purposes.

Applying this Information

OK. So we can easily pull up all the domains registered with a certain email domain. Again, so what? Well, what if those domains showed interests of the employees of that company? What if they showed personal information or pictures of a person’s family? In fact, if you visit some of those domains from our results¬†above in a web browser, that is exactly what you get. Check out¬†http://farrellswebservice.com/ and¬†http://bostonjrhuskies.com/.

So now we have:

  • First and last name
  • Home address
  • Phone number(s) which may be work and or personal
  • Email(s) which are work and may also be personal
  • Personal interests
  • Pictures of family
  • In some cases we have much MUCH more (check out¬†http://dancommiato.com/)

Attackers could use this information:

  • For reconnaissance prior to a cyber or physical attack to gather information
  • Phishing or pretexting data to better-craft emails or scripts that victims may fall for
  • Social engineering
  • Espionage….and so on

We can also take this data, export it to a CSV (Comma Separated Value) file and import it into a spreadsheet program or visualization app like Paterva’s Casefile (free – http://paterva.com/web7/buy/maltego-clients/casefile.php). Doing that, we can see connections in the data such as all domains registered on a certain date or by a specific registrar. This data can help you determine if a specific domain was registered by the organization and is most likely a work domain or if someone else may have registered it.


How do you prevent this? Most domain registrars allow you to make your domain registrations “private” or “masked” so that, instead of your personal (or work) information being displayed when someone looks up the domain registration, it is the information of the registrar that is shown. For example, let’s look at what the whois data for the osint.ninja domain are:

whois osint.ninja

When I registered that domain, I selected to pay a little additional and have GoDaddy replace my personal information with some generic information pointing to their systems. Anyone having an issue with the domain (or network traffic coming from it) could contact GoDaddy and then they would know to contact me.

Additionally, try to limit the places where you use work information for personal purposes especially if that data is or could become public.

For all you OSINT people out there, I bought the $20/month API access to viewdns.info’s data and have scripted this process (and doing subsequent lookups). It does require an API key from the site. If this is something you do regularly, I highly recommend purchasing the API key. Oh, if you are thinking of just scraping the data from the web site…don’t. Viewdns.info actively blocks IP addresses that do this. Trust me. I still cannot get to this site from home.ūüė¶

Like this post? Tweet to me @OsintNinja or @Webbreacher.


Career Days

I have had (and continue to have) the pleasure of helping my two children learn and grow into the amazing, wonderful young adults that they are today. Every year their schools have “Career Days” where people in the community take some time away from their work and share with students what it is like to work in their careers. Each presenter usually has about 25-30 minutes to convey important aspects of their profession such as:

  • What is a typical day like for you?
  • How much money can people make in your field?
  • What are things that students in [insert grade here] should do to become a/an [insert profession here]?
  • Are there certain college majors that would be good for people to choose to become¬†a/an [insert profession here]?

I’m sure that you get the idea. Every year I create my presentation and try to…

Connect with the Audience

When creating my talks, I try to think about topics in my profession that the audience, by they elementary, middle or high school students are affected by and can relate to. Discussing how reused a Apache Tomcat default username and password to upload and deploy a customized WAR file to an application server to compromise the system and then how the WAR file sent a reverse TCP/IP shell to my host pentester server in my cloud instance…this would not go over well with any crowd that was not infosec savvy.

I try to think of an example that each person can understand. Some examples I’ve used:

  • Elementary Schoolers – “Find the vulnerable system” – I bought 100 #2 pencils and broke 2 of them in half so their eraser end was still in place. I then picked them up and made it so all the erasers lined up. The 2 shorter pencils were inside the normal ones. I had the students grab a pencil and see if their system was shorter/was the vulnerable one. Then I told about how many times I have hundreds of systems I need to assess and my first job is to find the systems that are more vulnerable to attack…just like finding a broken pencil in our pile.
  • Middle Schoolers – “What is a ‘good’ password?” –¬†By the time my kids were in middle school (grades 6-8), they had a lot of experience with passwords. So when I presented to their classes I showed examples of a variety of passwords in my preso and asked them to rate if they were good (strong) or bad (weak). To make this more interesting I threw in there passwords with keyboard walking such as !QAZ2wsx#EDC4rfv which looks good but which is easily guessed using techniques from¬†https://github.com/Rich5/Keyboard-Walk-Generators. Describing how an attacker can use a weak password, can “crack” passwords using huge password lists and can gain unauthorized access to systems are easy discussion points here. Passwords lead into other things that hackers do and so this was a natural method of “reaching” my audience.
  • High Schoolers – “Peaking Behind the WiFi Curtain” –¬†I’ve written up a longer blog post at¬†https://webbreacher.com/2014/04/16/all-is-not-what-it-appears-to-be-a-high-school-demo/¬†describing how I used the FakeAP software to make some WiFi access points that the students could see on their phones/devices. This allowed me to address how being an attacker is partially about tricking our victims. They shouldn’t trust everything they see on the internet. This naturally leads into discussions about fake social media profiles, stalkers, and more.

Break it Down

Some of you know that I’ve had a few other “careers” besides infosec/computers. In my early 20s, I applied to medical schools to become a surgeon. I remember at one of the medical school interviews, an interviewer said to me:

I only have one question for you. Let’s say you are in a truck crossing a desert in a foreign country. I [the interviewer] am a native of that country, am riding on my horse and speak English. I stop you, point at your vehicle and ask how it works. Tell me what you’d say.¬†

So I described at a high level how my vehicle needs energy (gas) to move much like his animal needs food to get its energy.

Tell me more…

was all he said. You can probably see where this is going. He had one question with 1,000 follow-ups to get me to go deeper into the explanation. At the end, I was explaining the molecular interactions between atoms and many physics topics that I’ve long since forgotten.

At some point, he stopped with the “Tell me more…” responses and explained that in the medical field they have to explain some very technical and complicated issues to people of a variety of educations, experience, and knowledge. I’ve found this to be very true within the infosec world. Talking to an executive versus a developer, I use different language and concepts to describe weaknesses and risk. This extends to my presos at career days as students in the 5th grade have different life experiences and overall impression of the world than an 11th grader. Leverage this.

One other point that I tried to get across to the students was that, when I was in X grade, my position, my job, my career had not been invented yet! Their career too may not have yet been invented/created/conceived so, try things, fail and be flexible.

Make it Exciting (or at least not dull)

Realize that career days can be amazing events that open childrens’ eyes to future career possibilities or they can be just another boring day at school. It depends on me, the presenter. This is where my Infosec Cheerleader persona really comes into play. I want kids to look at the wide variety of positions in infosec and understand, like sports, that we are a team and each person, whether on the defense, the offense, a referee or an owner, we all work together (or should).

Get Feedback

The best part about presenting to the middle school my kids went to was getting feedback from the students. The school mandated that each child write up a note to the person who had a presentation that they enjoyed most. I love reading these letters (even though I know the school makes them write these as assignments) as they have some insights into what topics made an impact on the kids. Below are some of the feedback I received.


Let me know

Do you have techniques that you use when doing these talks? Let me know on Twitter or in the comments below.

Your very first hike

The weather is turning hot|cold|warm|sunny|cloudy…just like you like it.

You know that there are these dirt|gravel|paved paths in some parks but never knew what they were for.

You are intrigued, pulled by some primal urge to go outside and get some sun|pollen|wind on your face|body|brand new clothes.

You my friend, need to…

Go for a hike!

That’s right. Walking outdoors. Listening to trees and animals make all the same sounds as your “nature sounds” alarm clock that you got last year at the Boxing Day Party your friend had. That is mostly what hiking is, just walking outside. For those that may want to stick to the paved, “improved” surface trails let me tell you, walking on dirt|rock|gravel is a great experience and much different from paved surfaces. Let’s talk a little bit about…

Going for your FIRST hike.

Don’t just run out of the house and hit the trail.¬†Let me give you a brief run down on…

What Essentials to Bring

  • Water –¬†Bring more than you think you’ll need especially if it is hot and/or humid out. Rule of thumb is 1 liter per person per hour if it is warm|hot and/or if it is challenging terrain. Bring all the water you think you will need with you. Do not count on sources of water being available at the place you are starting your hike. I’ve been to many parks where the only water fountain is broken|turned off for the season|missing. Oh, and bring some extra water and keep it in the car for when you get back from the hike. You will appreciate that.
  • Clothing – While we are born naked, hiking naked is not common and frowned upon in many parks.
    • Shoes –¬†Wear comfortable shoes for the terrain. Walking on a straight, flat path like the C&O Towpath in Washington DC and Maryland? Sneakers|trainers|exercise shoes should be fine. But if you are doing the Billy Goat Trail, right off of the C&O Canal, you will want something with a sturdy sole like a light hiking boot. Planning on going through/near water? Going to rain? Consider waterproof shoes.
    • Weather Gear – Check the weather before you go and ensure you have raincoats, hats, sunscreen, sunglasses, jackets and whatever is going to make you feel comfortable should the weather turn sour.
  • Backpack –¬†I’m told that some women love purses. Well, I’m the same way about backpacks. I love them. You might think that you can just wrap your jacket around your waist and carry your water bottle on that 5 mile jaunt and you probably can. Just realize that¬†when you go to scramble over that log|rock you will¬†drop your water bottle because a chipmunk surprised you. Then you will watch in horror as the bottle, the ONLY water you brought on your 100 degree, 100% humidity first hike rolls down the cliff|hill|bank and disappears from view, forever. Bring something you can toss a few things into and wear on your back. It is worth it.
  • Food –¬†This advice goes for adults only. Kids have different rules here. Bring something light to eat on the trail. Take something you enjoy. It can be healthy or not. Doesn’t matter. It’ll add to your first hike and make it more enjoyable.
  • Alcohol – Leave the alcohol at home. Alcohol dehydrates and impairs vision and reflexes. Alcohol is illegal in many public parks at State and National levels too. Just don’t.

So you have packed up all your things and you are ready to…

Pick a Place

There are many avenues that can be used to find a good first hike. Talk to friends. Visit an outfitter like REI or a sporting equipment store and ask a person there. Use Google or DuckDuckgo.com¬†to find a good place for your first hike. Not sure how to do that? Let me show you¬†http://lmgtfy.com/?q=good+places+for+first+hike.ūüôā With some ideas in your head, now is the time to…

Think About Distance

This is where you need to know yourself. Do you sit behind a desk 50+ hours a week and get out of breath opening the microwave oven door? Yeah, doing that 16 mile out and back hike with 10,000 feet of elevation change may sound¬†like a neat idea but probably should not be in your near future. Many people start out with easier hikes and move to more challenging ones. Hiking trails get “harder” to hike with elevation change (going up AND going down), the type of trail (scrambling over rocks versus a towpath), and a couple other factors. To understand the terrain, my suggestion is to…

Get a Map

If you pick a National, State or even local park, their web sites may have maps that you can print and bring with you. And yes, you have to print it AND bring it. Trust me here. When you are cold and it is starting to get dark, you’ll want to know that about 100 meters east of your current location is a road that will take you to a place that sells coffee. These things matter.

I’ve figured out that I like being on mountains and being able to see/hear water. Those hikes recharge my mental/emotional batteries the quickest. Figure out some elements of the outdoors that you and your companions like. Want to see a lot of birds|reptiles|fish? How about plants|trees|rocks? Lots of options for you to choose from.

You can get maps from REI and other outfitters or online for the park. For instance, I live in Montgomery County, Maryland and they have a web site¬†http://www.montgomeryparks.org/PPSD/ParkTrails/trail_maps.shtm that has links to PDFs of each park’s trail map. Your county|city|local park may have that too. Some places, such as one of my favorite local hikes at Sugarloaf Mountain, not only have trail maps you can bring with you but they print them and place copies at the trail heads so you can take a copy at the start of your hike and then leave it when you go back to your car.

Thinking about using your cell phone for a map? Maybe tracking your hike for some “count your steps program”? Cool! Charge up your phone before you go and consider (depending on your course and hike) bringing an extra battery to charge your phone. Oh, and still print the map and bring it. I’ve been on MANY hikes where I’ve brought a map just because of habit and I’ve run into some novice hikers that had no map and no idea where they were. They were very happy to purchase my home-printed map at a high price. I love capitalism. But seriously, someone else may need your copy of the trail.

OK, let’s say you have found a map, you probably need to…

Plot a Course

Figure out what is a reasonable trail to take and reasonable distance for you and your companions. Places like Sugarloaf Mountain, have descriptions of each of their trails on the map (http://www.sugarloafmd.com/sl_trails.html). These descriptions are valuable tools in helping you decide not only what your primary path is but if there are “bail” places. Let’s face it. Sometimes we go somewhere and, for whatever reason, we don’t have a good time. Perhaps you go on this first hike and you find out on the trail that you are allergic to every single tree around you. Knowing that there is a shortcut to go back to your car is a great feeling.

I like doing circuit or loop hikes where you essentially walk in a circle, starting and ending at the same place and not retracing your steps at all. Out-and-back hikes where you hike for X amount of time|distance and then turn and retrace your steps is another popular course you might choose. There is no right way to do it and the trail(s) you decide to take may determine the type of hike.

Walking in the woods, on a trail is mostly slower-going than walking on a road. I normally walk around 3-4 miles per hour on the sidewalk but there are many hikes where we have to struggle to go 1-2 miles per hour. Plan for more time than you need. If you are going on a 5 mile hike on fairly even terrain and are in good shape, you may be able to pull off 2-4 miles per hour hiking. With longer hikes, you will need to take breaks. Plan for that. Plan for slowing down to appreciate the views too!

With your map and course(s) plotted, it is important to…

Tell a Friend

If you are going hiking alone or going into a remote area where there are not a lot of people, text|SnapChat|email|call a friend or family member to let them know where you are going and when to expect you back. I’ve seen things go wrong on the trail. It happens. Don’t be fooled into thinking “Well I’ll have my cell with me. I can always just call someone from the trail” because accidents will happen just when you get into that cell phone dead area where you have no signal.¬†Thanks to my buddy Eric for reminding me about this important point.¬†

Since someone knows where you are going, you may want to…

Check the Weather

Going to rain today? Prepare for it. Getting sunny|hot|cold|snowy? Prep for it too. You will appreciate your preparation if inclement weather arises. One thing many people don’t think about is bringing extra towels and plastic trash bags with them in the car so that when you return and you and your gear are wet, you can dry off and protect your car from your gear.

Don’t be put off by poor weather forecasts. My family and I have had entire parks to ourselves on cold, snowy days. You see the trails and nature differently in different weather. One of my most memorable backpack hikes was on the Appalachian Trail in the rain. Myself, my son and two family friends stood on the Route I70 pedestrian overpass in the rain and waved our arms at cars and trucks until they honked their horns.

This should get you out and about on your first hike pretty well unless you are…

Bringing Kids?

Kids make hiking awesome. I loved walking with my little ones on the trails. They appreciated all the new sights and sounds so much more than my adult senses could. A red leaf on the ground. A big bug crawling across a branch. A bunch of poison ivy leaves that they made into a bouquet for their highly allergic dad. Ah…those were the days.

If you are an experienced parent, you will know that kids slow you down until they get to a certain age. At this point, you slow them down. Weird how that happens. Plan for shorter hikes with younger kids. Even if you are carrying them in a backpack carrier, shorter hikes. And add more time to the trip for kids.

Bring a ton of snacks. Healthy, sugary, whatever. Bring extra food for them. It keeps them busy (and quiet!) and gives them extra calories. Win. Win. Win.

Older kids can help plan the course (and be the course director when on the trails) and carry things. Put them to work!

At this point I should congratulate you because…

You made it! Now Appreciate it.

Oh, you just got to the trail with your backpack and everything. You are prepared and ready to tackle that road|hill|mountain. Awesome! When you are out there on the trail, away from sounds of cars and trucks. Away from the stresses of work. When you walk onto the trail and are the farthest away from what you consider “civilization”, I want you to stop. Yup. Right there on the trail. Well, step to the side of the trail and stop. Look around at the colors and shadows. How the light plays off the stream|vines|sand|trees|rocks. What sounds to you hear? I’m not trying to get all mushy on ya here but some of the coolest things I’ve experienced, times when I’ve felt most centered, was standing on some trail and just looking around, listening and, well, just being. Take pictures to bring back and show friends|use as a desktop background|email to your companions. I love taking pics of nature.

If you are in the DC/Maryland area and looking for some good recommendations for your first hike, see below:

  1. Sugarloaf Mountain – Dickerson, MD – This private mountain is open to the public and is my favorite place to visit. All the trails are very well-marked, the maps are excellent and the views from the top of the mountains are amazing. My suggestion for a good starter hike is:
    • Park in the West View parking lot
    • Take the green trail up the mountain. There are a bajillion stairs going up but there are places to rest.
    • Eat something at the top and take pics.
    • Take the red trail down the back of the mountain and make a left on the blue trail at the mountain base.
    • The blue trail takes you right back to the West View parking lot.
  2. Billy Goat Trail – Great Falls, MD – This is a more challenging trail that has it all from 50 foot rock climbs to bouldering and walking on dirty trails in the woods. The variety of paths in this 1.5 mile trail next to the Potomac river makes it a fabulous trail. Due to its location on the C&O canal, this trail is heavily used and some lines form in certain places. I suggest hitting this on off-peak times.
  3. Visit the Montgomery County Parks Page – Lots of hikes to choose from here. Pick one, pack a backpack and go!

After you finished your hike, do me a favor and Tweet your favorite part of the hike to me at @WebBreacher.


Fake Name Generator

When performing testing activities, whether it is web application penetration or usability testing, it is helpful to have example content to submit in web form fields. The same can be said for people trying to create sock-puppet or alias accounts on the Internet. We need to have sample/fake information so that we can set up the accounts that we need to perform our OSINT (Open Source Intelligence).

You see, some web sites require a login to access their data. And some show additional information to authenticated accounts versus anonymous ones. Other web applications will notify a user account which other user accounts have performed searches for their name or who viewed their profiles. For all these reasons, OSINT analysts need alias accounts.¬†For all of these reasons and more, OSINT analysts need to generate sample/fake user profile information and we can turn to a web application to help us out. I’m talking about¬†http://www.fakenamegenerator.com/advanced.php. This feature-rich, free site will create good dossiers for non-existent people. Take, for example, the profile I just created below.


To create this profile, I chose the default settings, an American male or female from 19-85 years old. The web app did the rest. Not only does it give the above info though, there is more data to help set up a fake account:


Some people have commented that this site’s foreign profiles are not perfect and sometimes don’t make sense (wrong names, non-random content…). I think the site provides a great value for your money (free!) and gives the analyst a head start on creating an alias profile to perform their OSINT.



OSINT is awesome. Open Source INTelligence is about searching the Internet for relevant information about something, analyzing the data that is collected and then taking some action using that intelligence.

Ninjas are awesome. Experts in their fields. Stealthy shadows searching for their targets. Patient, methodical wraiths exploiting their adversaries.

Now, put OSINT together with ninjas and you have, you have, well…you have a new Twitter account (https://twitter.com/osintninja) and a new chapter in this blog. Instead of just being about hiking and hacking, you will see posts about performing Internet searches on people and retrieving data from obscure and interesting sites.

Some readers may remember my “Running Away From Security” talk and blog post¬†and how that was mainly about OSINT. Those were the foundations. Now we build.



Cross Site Scripting Resources

Micah here. Recently, I’ve found several great resources for those of you that perform web application hacking/penetration testing.‚Äč Most people are aware of the old RSnake XSS filter evasion cheat sheet now maintained and enhance by OWASP (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet).

There are two other sites/web apps¬†that can help too. One has a NSFW domain name but, as we are all adults here and it has a neat approach to XSS, I’ll post it. The¬†http://www.jsfuck.com/¬†site uses only 6 characters in its payloads. Yup. 6. Check out the translation of the typical “alert(1)” payload in the picture below.


“Brutelogic” (https://twitter.com/brutelogic) created a Web Gun site (http://brutelogic.com.br/webgun/) that is pretty neat too. It is a bunch of drop down items that creates your proof of concept XSS payload. Really customizable and flexible. Check out the pic below.


Security Company or ???

Ever play that game with fortune cookies where you add “in bed” to whatever fortune you get and it dramatically changes how you look at the words of wisdom you just received? A sample innocuous fortune might be “You will be happy and content” which, by itself, is comforting. Now read the fortune and add “in bed” to the end which will change this harmless, relaxing fortune into something a little more risque, “You will be happy and content in bed“.

While walking the expo floor at a recent conference, I started looking at the names of the myriad companies that had booths. Every now and then my friend and I would giggle as, forgive my high school sense of humor, some of the names sounded like erectile dysfunction remedies, condom-testing firms, and, well, just made us giggle.

While *I* was having this thought, it appeared that Mike Poor (my friend and colleague) had the same reaction to some of the names. He tweeted:


Want to do a disclaimer here that these companies are probably really good at what they make and do…they just had names that made me giggle. I mean no disrespect and wish no harm should come to them, their employees, their brands, their business….but their names made me giggle.

So, now that I’ve tainted your perspective, let me show you some of the names of the companies that I saw on the exhibit floor of the conference. Think to yourself, what do they do? Test condoms? Help men with penile problems? Information security?

Oh, I dare you to try not to giggle.