 So, our next talk is OpenWisp, a comprehensive introduction and our speaker for this talk is Mr. Gagan Deep. He is a co-developer at OpenWisp and he will be presenting the talk. So I am handing the mic over to him. Hello everyone and thank you for joining us today here. So I will be giving an introductory talk to OpenWisp where we will be, I will be sharing all the features and how you can use them to manage networking devices. So carrying on. So as, who am I? I am Gagan Deep and I work on OpenWisp full time as a co-developer where I, where I wear multiple hats to collaborate with the community in developing this beautiful piece of software and if you like cats then after the talk you can talk to me. I love cats. So what is OpenWisp, right? So whenever someone asks me I just say hey OpenWisp is an open source network management software but what is actually a network management software? So it is a software tool which allows users to actually manage, when I say manage I say okay you have to configure an networking device okay and then you can also upgrade the firmware on the device remotely and then you can also monitor the devices straight from the OpenWisp and right now we are primarily managing, working on supporting or managing OpenWRT devices which OpenWRT is like an open source firmware, open source software, sorry firmware for networking devices like routers, switches, etc. So what is the open, what is the mission of OpenWisp? Why does OpenWisp exist right? It is, it exists to minimize the efforts and costs required to manage networking devices and to reduce duplicity of efforts and to automate as much thing as we can because as we all know humans are bad at doing the same thing over and over again so why not just, why just not delegate it to the machines? So a little bit about history of OpenWisp so it started as a project from universities in Italy where they developed it to manage public Wi-Fi systems then it got adopted by municipalities in Italy where they used it to manage public Wi-Fi system in real life which were being used by actual users then later on it was from year 2015 it was rewritten in Python and developed in Django so earlier the OpenWisp one which was developed which was used by the municipality in Italy was built on Ruby but now we have rewritten it in Python because it offers more flexibility in development and to provide more generic configurations so now we developed OpenWisp too and now it is being adopted by many more ISPs around the world and used by organization to also manage their internal network so I think most of us have already seen some kind of these devices right these are routers and access points and and generally as like before I joined OpenWisp my experience with routers was when I had to change the Wi-Fi password when I had to change the SSID that's it but that's the only not only the tip of the iceberg here right there are so many configurations which are available on networking devices so just giving you an example oh wait no I did yeah so yeah just giving you an example here this is how you set up a Wi-Fi interface like you turn on Wi-Fi and on OpenWRT device this is very simple straightforward and you put it in a society here you put in a society here and that's it right you put in some kind of Wi-Fi security inscription as a drop but what do you have to do this over and over 300 over 300 rout access points like this is not actually doable so how does like OpenWisp simplify these things for you so first of all we have a comprehensive dashboard where we will go all of these points in detail so just to iterate over it we are we have an comprehensive dashboard and we also provide configuration management templates the concept of templates variables and groups which we will dive you know in deep and I will also show a demo about it and then we also we all we also generate configurations which are compatible with different firmware versions and so on we also support VPN provisioning and many things so this is the general dashboard of OpenWisp so as you can see there is a map on the top which allows users to actually see where the device has been deployed so let's say if we have Wi-Fi router Wi-Fi access points all over Hanoi so we can actually see okay which part on in the city the particular access point is deployed and then below it there is a few donut charts so the first one shows how many devices are active and unreachable so as you can see here we have 140 in the screenshot we have 143 devices which are online and some of them are unreachable the next one is the configuration status so whenever you apply a configuration in like you change the configuration on OpenWisp it then applies it on the device sometimes it the device may fail to apply that configuration and we get a you know general overview that how if there are many devices which are dealing with that problem and the last one just shows a distribution about how many devices have been actually mapped on the map and how many are not so the last one just shows that there are a couple more more charts here so the first one just shows the distribution so there is the distribution of the devices on different parameters first one is device model like as it's it's very rare that if you have you know a big fleet of devices you will always have just one model because there are different requirements for different places so we just give you an overview about different models from versions system type which is like what is the chipset which is being used on the device and then the active Wi-Fi session and the distribution of different groups then also we provide you know this general overview of the time series graphs so the first one is Wi-Fi clients so how many devices so how many people how many devices and when I say devices I say mobile phones laptops how many are connected to the Wi-Fi system of the network right so we can actually get an overall idea that how many people are actually using the network and then we in the below it we have the general traffic chart so we can see how much traffic is going through throughout the network and this gives a good idea that how much a system is being used so before we jumping ahead I would like to you know share this thing about open-vis we have this editor here which allows users to set up configurations in open-vis so this one so here you can see it shows an example for the same example that we started with right it sets up a Wi-Fi interface which is which can be used to access internet or anything right so this is we provide two ways this is the GUI so you can just this is a simple drop-down menu and you can fill in details and then we also provide for you know the users who are for advanced users we provide advanced mode of configuration generator which is like in json in json object so you can define we have a schema in you have to follow it the user has to follow it and then using that configuration in json format we can actually generate the configuration for the device and then we can we can do vice versa itself so you can provide the you can provide the configuration using the editor and you can get the json or you can provide the json and the editor will automatically read it and show you in the UI format so let me give you a quick demo of this so here we have so here we have the same the same example of editor so you can see that if I want to add you know another interface here I can just do add an add interface here and it will gives me option to actually configure that interface so not only Wi-Fi like I have been you know stressing about on the Wi-Fi part but just because like the normal users that's the most most common thing which they use with for configuration of access points but here we have more options as well so not just interfaces we can do we can configure different radios on the device such as like the 5 gigahertz range or the 2.4 gigahertz range of radio and we have different things like you can set firewall itself you have you can also configure VPN and we will jump on that later on in the talk and yeah the advanced mode of the configuration generator so as you can see here we have you know different we have of this configuration which I added so if I change let's say something here so let's see let's remove this interface which I added for the demo right now so if I remove this and like let's just remove everything right so the configuration editor reads it and it you know removes everything but and yeah so basically it provides two ways to generate this configuration and it also provides if I will just refresh it to save time right and it also provides a way to actually see the configuration which will be generated on the device so here so if you are not familiar with the open w artist syntax bore you with that but it just says that create this the face and then you will and then it will this is the configuration for the actual Wi-Fi and it is not used encryption right now so yeah that's pretty much it moving on to the next part which is templates so right now we have been talking about just you know configuring one device but if you have to do it over and over again we have the concept of templates which will which reduces the concept of duplicity of efforts and also code so what is a template they are reusable they are usable configuration you can apply multiple templates on a device so let's say we will have an example where so on my device you can see that there are two these are the templates in open west so you have two thing two templates applied once is one is the ssh keys so the service ssh public ssh key will be applied on my device so again the server can easily authenticate login using the ssh service and the second one is the configuration which I just show you before it is that template which has been already applied right so I can just add more templates as well such as I will just add this one and I can also add the template for wire guard etc and then you must have seen in in the example like we added this VPN configuration for zero tier and wire guard right so we have an option here so the type of the template there are basically two types of templates one is generic the other one is vpn client so the generic templates are used when the user you have to change anything else like anything on the device and you would usually use the vpn client template type when you are applying some configuration specific to a vpn which is managed by open west so if you are if you are if you want to connect it to some external vpn service you can just use the generic one and put the configuration yourself but if it is managed by open west open west will automatically generate the template based on the type of vpn server you are used so yeah this is the example and you as I have already shared so we have few different different things the name the organization and the type of the template as I shared and the back end of so right now as I already shared that we support open wrt but in future the project has been developed in a way that in future we can extend it and support other firmwares as well yeah small thing there are two small things here first one is enabled by default and another one is required at the bottom so enable if you flag a template as enabled by default so any new device which registers on the system it will automatically have the template enabled so it reduces the amount of amount of effort that you will need the amount of effort you will need to put to set up a new device you can flag some devices some templates with which are enabled by default and then it will have the template whenever a new device will have the template and if you flag a template as required by default required then the user won't have an option to remove the template in the example we have time for internet to work well actually just we will just move on with the presentation and maybe if it starts working then I will just show you after that we also have the concept of variables so let's say let's say you have this template and you have created it for everyone right but I my access point does not need the specific value with one common thing which we have observed in deploying systems is that the MTU has to be configured based on the underlying on the VPN based on the underlying networking technology like if you are using LTE network you have to set a lower value of MTU and then if you have a good reliable Piber network you can use a higher MTU so we have the concept of configuration variables which allows you to allows users to you know customize a specific only specific parts of the template so you will have a big configuration which is reusable in general but a part of it can be customized then we have the concept of groups so as I shared earlier that you know a big like any network network will have devices which are you know of different categories of different models they have different drivers etc so let's say you have two you can create groups for two type of devices one is routers and other is access points so basically do not want the configuration of routers applied on your access points so we you can create groups for this and then you can add that specific template to a group and you just apply a group a device to a group and all the configuration which is has been applied on the group level will automatically apply on the device as well and we have it it will work just like you have applied if you apply individual templates on the device but it just reduces efforts so here here I have this group and as I will just go through this with you so similar to the device page you can apply as many templates as you like here so I will just add this one right and you can also provide configuration variables directly at the group level so you you can say some device will need some family of devices will need you know some specific value so you can also provide it here and it will it will be it will get applied to all of the devices that are present there yeah so I touched the concept of that we also allow provisioning VPNs earlier so we currently support three VPNs managing three VPNs one is open VPN zero deer and wire guard so open risk will so with wire guard and zero deer open risk risk will also manage the server side of of the deployment so it will so if for wire guard it will generate encryption keys etc it will generate it will generate the certificate file and private keys for open VPN and for zero deer it uses proprietary hash key for connection so it will also generate yeah so this we have been talking about this we have been talking about what going goes on the server side what goes on the controller side now we will talk about what happens on a device and what is needed actually needed on the networking networking device so we have an open wrt package called open-risk config this package is installed on the networking device like networking device and it allows it communicates with the open-risk server and then it it applies the configuration which is generated by the server it constantly pulls the server to see if there is a configuration state configuration stage it can also accept push configurations where the server pushes the configuration that there has been changed and you need to apply those then it it has a very neat function that it tests whether the new configuration works perfectly or not causes any errors or not let's say due to some human error there is a modification in the template in the configuration created on open-risk which is not supported by which is not supported by this particular device so the agent will test the configuration if it finds any error if it runs into any error it will just roll back those configuration change and then it will report it to open-risk that hey there was an error applying this configuration and it would also provide some error log lines which can help to debug this debug the problem which is occurring on this device right and then it has some hot plugs which is like concept of openwrt it is like servers it is like signals and receivers so whenever some we provide some thing some hot plugs like what happens when the configurations get reloaded what happens when when the when the configuration has been successfully applied so this provides custom customizability to the system where users based on their own needs can write script which are executed at a particular particular operation of applying configuration and then it also collects some basic data from from the device as we see saw on the charts right we saw that there was information about the firmware the model and the system SOC so this open-risk config agent sends that information to the open-risk and then it this is not only like you cannot only configure open-risk config on the device using the SSH using terminal but you can also install the uc web app which is the web in the web GUI of openwrt and then just like you will use any web application you can configure open-risk config agent but the best part of open-risk configuration agent is that you can create a new firmware you can have everything on there which is required to you know register the device on on the system which is like the url of open-risk and there is a secret which is used to register the device on the system you have a firmware you create a firmware you flash it on all the device and whenever and just when you you know switch on the device and plug it to the internet it will automatically register the device to open-risk and then it will start working behaving the way you want now we also provide support for executing shell commands on device so from the web UI itself you can execute some commands directly on the device so you can you will send the use you can use these commands here so we provided you know some basic commands which you which are just like you click on it and it will work like reboot change password maybe you want to just check whether the whether the router has access to some specific through the internet or some specific web address you can use you can use ping or trace root to diagnose the network which is you know becomes pretty handy when you are managing different devices that you also have the option to execute custom commands so anything that you could execute on the terminal using SSH you can execute it here and during the start of this present during the start in the dashboard we saw a map so we all and the map gets generated when the user put the location of the device in open-risk we also provide the support for you know where for mobile devices let's say router an access point is deployed on a bus and the bus moves across across the city so if using a script on the network device on the access point we can send updated coordinates to open-risk and it will reflect on the on the map and we also like I think any network management software will be incomplete without support for provisioning and assigning subnets and IPs so we do provide a way and we use it and we use it to work with zero tier and wire rod VPN where we control how many subnets and how many IPs and each device would get but it will it can be used like it is pretty extensible and pretty customizable you can use it anywhere you want okay we have been talking about configuring the device you have changed the configuration on the device on the open-risk it has but we how would we know whether those configuration gets applied or not and whether a device is online or unreachable or a device is you know a device is experiencing some kind of issues like it is it in the load is it running out of memory is it running out of storage etc so that that functionality is also built in in open-risk so as I was saying we can see the status of the device and then this the system metrics like CPU disk usage and storage and it also checks for reachability it does a ping check but so we would know okay the device is is reachable by open-risk and it also has an it's separate open-warrty package which is called open-risk monitoring and we will discuss about it later on so this is the device status page here as you can see we are we are seeing the load average on device and the amount of RAM which is being used by the system and some other things like storage as well apart from this we also provide a way to see this information on time series graph so the first one you are seeing is the ping ping and the device is open-risk is configured to check for the reachability of device at every five minute intervals so and the chart is being plotted that way only we also you can also change the you can also change this the time span of the of the chart so you can see older data as well like okay in the last one month tell me when when was this device experiencing a problem below it you can see the round trip time so this is actually useful for diagnosing networks it will it will just show how much time that ping ping checks incurred how much time was incurred in the round trip of the ping checks and the third is the CPU usage we plot it in time series chart so we can know for know the duration of which know the duration of the metric now there are also network devices which supports which supports placing a sim card in them and then you can you know actually there are travel routers travel modems right now modems and routers you put in a sim card in them and then you will you know start using them as a hotspot so for those kind of devices you can actually get metrics for the signal quality and and and for signal strength and this is the YFS session tracking thing so whenever whenever my mobile phone connects to will connect to the Wi-Fi of any of the managed device it will create a session with the information it received from that particular mobile phone or laptop or any other thing so this as I already shared this helps to see how much the network is being used by people yeah and this we also provide configurable alert so whenever let's say you want to know we just want don't want to see that your device is having 100 percent of CPU usage all the time we also want to know when it happened right so we we also send alerts which are customizable by the user so you can set it okay if the device experiences more than 90 percent CPU usage for 10 minutes straight then you can only send me alert in then but only send me an alert at that time but if it you know the CPU users spike just for a minute and then it settles down into the normal range then the user need not be required to be alerted because this creates a lot of spam in the inbox and the user deals with alert fatigue where they will actually ignore the alert which was you know which were actually important so as similar to the config agent which deals with the configuration of the of the device we have the monitoring agent of openvis this is openvis monitoring it is installed as a separate separate package on the open rd and it provides a way to collect the metrics directly on the device so metrics for CPU usage ram usage memory usage storage traffic etc it collects that information and uploads it reliably to openvis so in in case let's say there was a network outage for some time the device with the monitoring agent will still collect the information during that time and when as soon as it gets network connectivity to openvis it will then also send the old data we have we also have active checks active monitoring checks so these are the checks which are performed on the openvis server openvis server so it will perform ping checks so the server will check for reachability of the device in at the configured amount in the configured amount of time then it will also check whether the configuration generated by the controller was successfully applied on the device if a configuration fails for any reason it will just alert the user about the particular device and we also provide a test for using hyper3 this is useful to know the bandwidth of the link between the openvis server and the device but you can also customize it to run the hyper3 check against an external system external hyper3 server which will provide you information okay what is the actual bandwidth to the internet of this device uh yeah so we have covered configuration generation and monitoring the next thing is firmware upgrade as we all know we most of us all of us are dealing with tech here right and tech evolves software changes and the scary thing in you know in with these firmwares and that is that you stay outdid it you get outdid it and then it will uh you will get it it will get outdid it and it will uh it will you will expose it to uh you will expose it to vulnerabilities etc so we do provide a way to share firmware upgrades uh to set to upgrade the device remotely using openvis you will just there is a quick uh there are few different concepts there one is built so you will just create you will just upload the firmware image here and then uh you will apply the image to to the device and you just click on save and then it openvis will handle openvis will handle the firmware upgrade process it will push the file on the device and it will uh yeah it will upgrade the device right uh it also openvis also provide a way to check the network topology right so here you can see that the links in the green are the devices are the devices which are you know have working links between them and the red ones are you know the links are not working so the network topology provides way to collect topology data and then you know you can visualize it uh and you can also see go back in time to know when was the uh a particular link was not working so uh the last thing about in this is the radius part which is the public Wi-Fi systems right so we have uh integration with free radius for to to support working with captive portals so uh which allows user to sign in and then access uh the network and also for WPA enterprise where you put your uh you do not have a particular captive portal you just uh put the credential directly on your device when you select uh this particular type of when you connect to a Wi-Fi interface which support this particular type of encryption then uh it is also possible for users to it is also possible users to act uh do a self sign up so some some some uh jurisdictions do not allow free uh do not allow just do not want to allow people to randomly access the internet you know without any identification for security purposes so they can use i use sms to have to know uh what is the uh to know what who is accessing the system and then uh it we also support social login or or too and it also supports sammel so you can also integrate single sign on on on those servers and we also have a paid more a paid module which only will only allow access to the network after uh after a subscription so yeah this uh we have this separate separate react page react app which generates the Wi-Fi login pages it is you it will it acts at the front end for for the Wi-Fi service so this is the registration page if this organization requires mobile phone numbers it will use it if it does not it will not show that that and then it will verify using sms it and only after that the user will able to you know use the service so this these are the screenshots of the Wi-Fi login pages app it just uh you can as discussed before it also allows to sign in using or or two or social logins and then it will show the status whether you are accessing the internet it will also show how much traffic you have used and uh it will also send an email to the user that they have a new Wi-Fi session for their account has started so this is the sammel login and this is the paid uh subscription module which only which will only allow uh access to the access to the system uh when the user makes a transaction I will just connect them so basically the user will just fill in the details and uh there will be a prompted for to make a to make a payment and then it will allow them to allow them to access the network so here in the service they are using PayPal to do the payment and after this they will be greeted with they will be able to access the internet yeah so as we have been discussing that it provides open-viz provide modularity and extensibility your users can configure it uh you can can users can configure you customize it to their liking and then uh they can uh use the system as they want uh we provide rest APIs this is an holistic architecture which you can also provide on our website I think the time is running out and we will not be able to discuss it and you can deploy it using ansible role yeah so we generally support openwrd here and we you can everything which openwrd supports will be managed can be managed by open-viz so thank you very much for your time I apologize we got a little bit we ran a little bit out of time we can take one more question if you want hi there yes um what um of the metrics you guys uh showed in the dashboard which ones do you find most useful uh especially ping because we want to see how much time the device was reachable by the network and we also find it useful to know the the number of users which are connected to a particular particular access points so you know it can help this help the administrator know which are the actual you know where the where are the where are the concentration of network usage in a particular place so yeah those two and also the traffic which flows through the network yeah okay uh question though so uh the pinging is from the cloud uh towards the public IP address or from the router or the the access point inside the network to the cloud which direction sorry I do not understand your question the um I mentioned um the pinging and then of course uh the graph I showed of course uh at the time which direction is is the ping initiated from behind the nuts or uh towards the public IP so we do not use the public IP uh we recommend uh place we recommend provisioning of management management tunnel the VPN and we use the VPN tunnel for pinging understand thank you yeah thank you all right thank you um thank you going for a comprehensive introduction upon open with and um let's have a round of applause for our speaker thank you everyone we have all right so our next speaker is uh mr. Naru Hiko Ogasawara he's a senior security engineer in shift security INC so let's welcome him for his talk we already have a new modern and secure print experience welcome with a round of round of applause thank you everyone attending me this my session uh my english is not so fluent sorry please forgive me anyway uh my presentation is we already have a new modern and secure print experience uh I'm Naru Hiko Ogasawara as he described here and I'm from shift security but this topic is no relationship about security this is my hobby I'm an enthusiast of desktop open source enthusiast from japan and so I love to keep up with the printing technology on Linux and I'm a former member of open printing Japan open printing is I will mention the open printing later and I love kayaking anyway so open printing is what kind of the organization uh this is an organization to standardize uh unix or Linux like this desktop printing so they say they develop IPP based on printing technology for Linux unix users operating system so they describe that hmm you some of you uh remember this uh web post posted by Microsoft a new modern and secure print experience from Windows so this page in this page they describe the IPP based printing in Windows today removes the need of third-party drivers and blah blah blah blah or something anyway so uh this means that welcome Windows so to IPP based driverless printing world which Linux already has it we Linux users already have a new modern and secure printing experience for years uh at least we went to support this with a 9.0 in 19.04 so this is a very old version and this released the 2019 so very old version uh in this talk I described some traditional not very traditional but traditional printing scenario and the modern driverless printing scenario I don't mention about the LPLPR era I all uh I just speak about the desktop uh so first of all how printer driven printers are driven so if you create some use of some peripherals you may need a driver so basically in the Linux world basically the driver is a kernel module but the printers are not so this kind of not quite different from other peripherals because printer always use a well-known interface such as USB or TCP IP or something like that so physical connection is already done so uh printer uh if we want to print we create some data say pdl uh to describe the uh page image or something and send it with a job description for example quantity is one copy and the reverse order page of color and black and white or size is a four or something something this kind of data should be sent to the printer then printer works this is a uh driver printer driver we use the cups uh as a uh core component of the printer the printer uh printer system printing system in on Linux so this is the cups and uh uh cups uh support two major features one is uh provides a user interface to the application uh for example the select page size or paper media type or something something so and different uh important function is a creator data as i mentioned uh understand printer understandable data creation is a very important feature of the cups some of people uh remember that cups is a common unique sprinting system but this is an old name so we say just cups and this is a core component of unix Linux printing system and it handles job control and user interface and also the data filter pipeline to create pdl and as i mentioned before there is a no kernel module uh in the cups printer system and uh now developed by open printing uh formally uh apple buy the cups and apple develop the cups but nowadays uh apple cups is uh only uh death or something so uh we focus uh open printing focus the cups and they maintain this and the ppd is uh so another very important five uh this is uh uh names the post-script printer description but uh not the only the printer post-script printer this is a uh historical reason name is came from historical reason and describe the printer capability color or monochrome supported media size supported media type or finishing feature the brakes or stapling or punching or something this is a short example of the ppd for example this is a media size and this selector one and default is a four and we have a four size and a four borderless size so user interface can see a four and a four borderless or something and we have a language filter this is the last filter of filter pipeline to generate the printer specific data format for example uh uh hp has a hp all printing language and epsom has a epsom original print language brother has a brother also riko has also something something so uh this kind of the language filter is very important part of the printing uh cups printing system i need to rush this was a very painful way because so the ppd and the language filter set was a printer driver so bender should uh publish the printer driver and if not uh we cannot print uh from renax this was a very painful because the uh according to the uh market share so renax support is very expensive for the vendors so some vendors don't want to support the printer driver for renax this was a very painful way but now we have a driverless printing so uh we don't need to install the printer drivers instead connect via usb or wi-fi it's just working just work if printer supports upper air print or more plier or ipp everywhere uh this is a very common feature right now so this is how it works so if printers turn on uh when printers turn on uh printer says i'm here i'm a printer so cups understand the oh new printer is coming and cups and ask the printer to the sorry attribute attribute to be in the capabilities and eat the paper size or media type or something something so cups generate ppd file from received a printer attribute then application used this pd ppd uh same as a previous era so application nothing changes and uh after print jobs send uh there is a luster filter right here so i can it can create the uh standardized uh luster image uh to understand the printer this is a key point uh standardization of the uh luster image data this is a key of the driverless printing so every printer can handle the same luster format it can be it is easy to uh expose the driver so and another key feature is ipp ipp is the means uh stands for the internet printing protocol this is a printing protocol over hctp or hctps so uh you can see the rfc uh 2911 uh this is the bidirectional not only the sender data but also the collecting the data uh to ask the attribute or something this is the the little uh business slide but uh example of the ipp you get the attribute and change to the ppd and the luster filter is uh so printer can say uh i can accept octet stream image pdf luster image urf image jpeg or something so this kind of the image data format is uh standardized conclusion printer driver the user and the module and are within cups and uh uh the pair of the ppd and the language filter uh is as a printer driver but now uh while ago using printer in the next requires support from the printer vendor but now we have a driverless printing so we don't need the uh uh without printed driver's support uh we can use the printer uh thanks for the driverless printing so these are all the Linux users to print uh upper upper into available printers without vendors driver that's it any other thanks any other question or comment or something no uh may i ask the small question so how many people in here use the Linux desktop Linux as a user desktop with your hand okay but you don't may have a printer you you have the issue is that i have hp printer and it have drm drivers so whenever i have to print something i have to install their drivers so i enable cups i enable wi-fi printer but the issue issue is that i can't print without drivers like i import the ppd but i have to run their script also they have some drm in their drivers so i use printer but drm drive with drm drivers uh huh so uh he mentions about uh so our real world some of old type printer cannot support the upper print or something but so if you want to use a printer such kind of things so you may you have to use a printer driver that's right and uh driverless printing has a some issue about that yes so so in such case it's also about we should choose the printer driver uh huh cups found the printer but it can't print it it said that ppd have an error it have said manifest has error so you i have to install using uh you want to some script the hp script then it can see the printer and then it can do all the wireless printing stuff printer is very old p one one thousand seven hp dex jet okay maybe laser jet yeah we have small tips about the such to work around such kind of situation but uh so it's time to show the very short time to talk with so please grab me later thank you thank you for your wonderful talk um so yeah so that concludes the talk um have a round of applause for our speaker thank you so please welcome our um another speaker mr nuyen duyen he's a chairman of lumi vietnam he's a co-founder of a smart lumi system and also he plays a role of chief system architect and developer of lumi products so let's learn something about how does lumi smartphone ecosystem apply open source in the environment okay hey everyone thank you for your time to join this season uh i'm uh tonang from lumi vietnam uh lumi happened 12 years uh uh we uh focused on smart home solution uh lumi also uh export to this country lumi focused on on iot so lumi uh used many uh wireless protocol like zik b bluetooth uh mass uh marker or thread uh lumi also produce many kind of product like you can see like uh some uh touch with uh sensor lock or some uh lighting lumi not only focused on um on uh quality lumi on so focused on the beauty the authentic of this uh normally i think uh most uh iot system like this uh uh there are three components in uh iot system you can see the center is a cloud uh iot device and uh mobile app web to connect and control the device but uh lumi uh have a little different because lumi use zik b or bluetooth mass or thread it is not uh internet it cannot connect directly to internet so it use the home controller or we call gateway gateway and mobile app and uh lumi clouds so uh we have some issue with zik solution you can see if lumi cloud have any problem or home or home controller have uh problem are offline so we cannot control device from uh internet from mobile uh now lumi handle about 700 thousand device uh lumi allow handle many logic and uh receive many message so it will help with uh overload or message latency or missing socket and uh to handle lumi cloud lumi also take a quiet mouth expense and manpower to operate uh to optimize also is uh the all target the next issue is uh home controller you can see home controller also uh we can call is the mini server it uh connect and connect and handle own connection from zik b or bluetooth mass uh it also work like automation automation uh in mostly in uh solution uh lumi provide for for customer they need many uh uh rule we can rule or automation uh system uh when it work uh live server so we also thinking so we need lumi cloud or lumi cloud have uh uh uh lightweight lightweight uh function not uh not handle too much uh function live live live here uh lumi also use uh home controller to two kind of controller one is the master and one is live because in the villa uh we uh we handle either more than 200 or 300 uh zik b or bluetooth device so one one controller cannot handle own so we divide to one or two or three home controller to take care so it also have problem if master or select have problem uh so uh in uh in all solution we uh we need uh each uh all solution need to really stability and we think uh how we can make uh our system is zero doubt and uh to improve user experience we also need to down the latency you know when we control from up to turn on or turn off the the the iot device uh the best user experience is below 200 millisecond latency and uh lumi also need to global scaling uh because lumi also export to many countries so we need to build the cloud can handle own device on over the world and uh lumi you need to improve security and uh reduce cost of uh all system so the so lumi have uh solution uh when we apply elix ff open uh the next slide uh meet the tai uh take care this solution we'll see how mobile the the solution we apply thank you okay hello everyone my name is tai and i'm senior software engineer at lumi so after we lay out on our problems we knew that decentralized the cloud and the home network are the answer you also know that the p2p technology will also come to have to boost up the performance so we have the idea but we doesn't have the tool or the knowledge to uh do it then we found the 8 ff's foundation yeah uh their team is here with us today so if you have any question about the the foundation you can feel free to ask so they mean their domain is networking media streaming and decentralized system they have extensive experience with media server cloud infrastructure and more and their code code base are 100 open source so you can check it out on github so there are two um project uh that we highly uh recommend the first one is the asmod sdn which is software defined network so their feature is high availability being fully distributed with no central controller uh the second feature is that munty zone support so it will have very high scalability uh and can be multi zone uh across the globe they also have magic base adaptive routing with the latency and bandwidth network orchestration and discovery and have high extendability by using network service they also have some build build in feature like pops up key value and also work cross platform line linux and max away the second one is asmod reverse proceed which is a relay proceed for iot they have uh they have features like this central line allows anyone to contribute and participate in the network pass relay so the server just relay messages so it's very fast and efficient it's also written inverse which is a modern and efficient programming language no for its performance and memory safety and there's no account required which is we use public and private key so you can just connect and it will work okay so uh that two uh project check on the box for us so we have the tool now we do some analyzation uh then we divide into two phase the first one is we will decentralize the cloud using uh the utmost sdn technology we can create a decentralize network for reducing downtime and each node will have the simplest uh logic as possible just relay message for reducing maintenance and operational cost we also improve latency between region and uh to make way for our for exporting solution overseas and uh we will make this uh easy to deploy as uh possible so it's very easy to scale we also improve security with biff the vip 32 the second idea is that we will decentralize the home it's a we will turn turn each home into uh separate a network also where on home controller nip devices same purpose and we will use direct p2p connection for low latency and each home win handle is all network so we can move on the logic from the cloud to the home so this is the design you can see that the relay cloud now is a cluster of nodes so the idea is that node can be died but the system will leave and the home also you can see the mobile mobile app can directly connect to the home via p2p so our roadmap uh will divide into two phase the first phase is to decentralize the cloud and the second phase is to decentralize homes so currently we are in the first phase uh we are finalizing the first phase so here we have the uh implementation and results objective of the first phase is that we will deploy a full fully functional and standalone iot platform we will reduce the load of the lumic current lumiclown and we migrate most of the future from the current iot cloud to the iot to the newly developed iot platform so this is the system overview you can see that the gray box in the uh um uh curin is the curin uh system and the green is newly developed but newly developed uh iot platform we add uh smodun the agent uh to the home controller uh we deploy a cluster of nodes uh and we we develop the mqtt simulate to handle the load of the curin lumiclown so here's the result if uh the first one is zero downtime when using the eddy ff export sdn if finding way finding path from wetway to home controller based on network condition so if uh their nodes is unavailable they will change the redirect rerouting to other nodes so uh there will be no downtime here the second one is latency improvement we have some bench mark on the curin uh system and the newly iot platform system and the result is that uh the new system has uh 7.3 times faster than the curin system code we also have some uh calculation on cost reduction so the curin system handle about 20k connection at the moment with the best per second of uh 500 so we have a bench mark of uh one node using one core cpu and one gig ram uh can handle up to uh 3000 connections and 3000 requests per second so that uh with the new system we only need five nodes to meet the curin requirement and that cost can be reduced up to 80 percent here either will global scaling network optimization you can see that the latency between nodes can reduce up to 42 percent uh with the new system we also achieve uh improvement in security by using beef uh 32 and uh increased performance and reliability of the source code using rust with sinio and uh in the future we will finalizing our first phase of the new iot platform and we will uh uh done the second phase also so uh the edict ff open source had a great potential and benefit not only to the media application but also smart home look solution and many more fields in the future we will cooperate contribute and have uh ff ff foundation with their open source and reach its full potential we like to also contribute to smart home community by offer free platform for home assistant so that's the end of our presentation thank you if you have any question feel free to ask all right the room looks full so please welcome to our next speaker so mr trun wu thuan he's a sales representative in white nam open source development joint stock company and our next speaker mr new yun tehong he's the ceo of venad this um so yeah let's learn something about open source software and open data opportunities for innovative startups in the wet nam okay thank you very much um hello everyone uh uh let's present uh i'm present with uh vietnamese uh uh okay uh I don't know how to explain it. There are only a few people who don't know how to explain it. My hands are too high. There is no one to explain it, right? I know how to explain it. Who knows how to explain it? It's too little. If you know how to explain it too much, you have to explain it a little bit. What is the simple way to explain it? It's simple. But instead of using a common way like the other companies, the open-air vehicle will give us a way called the open-air vehicle. It's a way that will give us more rights. If it's a traditional vehicle, you use a soft vehicle and it will stop you from being able to go outside and have enough access to the vehicle. The open-air vehicle will guarantee that the rights that you have will be shared with others. The open-air vehicle will not allow you to go outside because the open-air vehicle is different from the open-air vehicle. It's not different from the open-air vehicle. It's easy to understand. OK. In the world, the first companies in the world use the open-air vehicle and the open-air vehicle so that we can know why the open-air vehicle has a big influence on the world and why there is a big version like this. We have more than 100 international versions of the open-air vehicle after three days. This is Microsoft, right? They joined Microsoft as a security member. As you know, in the past, they decided not to use the open-air vehicle. But recently, this is one of the biggest advantages of the open-air vehicle and they completely changed their point of view with the open-air vehicle because the value that the open-air vehicle brings to the user and brings to the business they become Microsoft Open Ticlology and they buy the vehicle and invest in it. They still keep the supply and demand for open-air vehicles and they maintain their development until the next day. OK. As for Google, this is one of the first industries to support and invest in open-air vehicles. They have more than 2,600 open-air vehicles under the open-air vehicle. What about Facebook? At the time, they have more than 131 open-air vehicles with more than 110 employees to support their open-air vehicle and they maintain it on Github.com OK. What about the government in the world? I will go through one to see the influence of the open-air vehicle to the government. How big is it? This is the joint-app of the European Union. In this project, they launched this project in 2016 and until recently, they announced the amount of more than 7,000 other projects in the system with a lot of different materials. OK. This is the open-air vehicle. The second part I would like to introduce to you is OpenData. Who has heard about OpenData? Who knows what OpenData is? Who knows? We have students from high school, high school, high school, high school. OK. Thank you. Are you here to study? Are you here to study? Where are you? I'm here to tell you my favorite subject. OK. OK. Thank you. Who else? Are you here to study? Are you here to study? OK. Here. Are you here to study? Are you here to study? Yes. Who is here? OK. Thank you. Who else? Are you here to study? OK. Let's go back to the question. Are you here to study computer science? Most of you are here to study computer science. Who knows who is familiar with OpenData? No one is familiar with OpenData? OK. There are some teachers here who are interested in moving back to the education system. Right? We want to change the development but we don't know about this because it's hard. OK. OpenData is also called open data. It is the data that is provided according to the same principle as open data. This data is also provided by sharing, sharing and sharing with the legal rights of that data. The data can be divided according to the document, the image, the sound, etc. The open data in the government will be divided like this. The biggest choice is OpenData. This round is the data of the government. The smaller round is the public data of the government. The smaller round is the Internet data, it divides the Internet data from the big round is the government data. The Internet data of the government. And the other round is Internet data. The Internet data is called Internet data. The government's open data is a large-scale transaction between two large-scale transactions. This data is a data that has a very large value for businesses and has a very high value. The US government has recognized this, and they see that the impact of open data on businesses is very large. It is one of the forces for the new generation. This data has received a lot of public information. This is the data.gov. This is the US open data. This is one of the US data. There is a very large public data. In 2015, the information about Lansax, the US open data, has been opened and their project has lost 1.8 billion. In Spain, there are 150 companies that provide services based on open data with a total of 4,000 employees. How is the Korean government? The Korean government has created a system of information and supply of the government's open data. The Korean government allows anyone to open the data and keep it open. According to the law, the government is open to the Korean government, and the government is open to the European Union. The total value of open data is about 1 billion euro. This data is not very new. It is about 2,000 euro. What is the value of open data? There is a research and conclusion that open data is the motivation for SMEs, as well as startups, to participate in the number of companies in Vietnam. Why is there this conclusion? Because with open data and open data, you have the opportunity to benefit from technology, benefit from free data, and with the limited resources of businesses, you will be able to use a very large opportunity to reduce, increase, and save time, and a lot of money in your business. This is the lesson we learned. When we talk about open data, and the data we have tried, I would like to introduce it to you all. This is a form of cooperation. It is influenced by the fruit of open data. Even though the content hasn't reached the level of open data, it is the open data of the government. In Vietnam, the content hasn't reached the level of open data, but basically, we have enough tools to use open data. In the next part, I would like to introduce you to the way that this project of ours has developed and cut off the fruits from open data and open data. The next step that I would like to introduce to you all is the creation of open data. With the three products, we have open data, open data.info, open data.txt, open data.net, and open data.txt, open data.net. The problem is that this project is out of business, and I have discovered a problem of the market. That is the market of B2B, B2B products. There are a lot of B2B products in Vietnam. However, in reality, it cannot be used, and it hasn't been successfully developed. During that time, the factory of B2G, B2G, is a government factory. It is very difficult for businesses to participate in this factory. We have discovered that between these two networks, there is a gap that businesses can start or supply the supply. In terms of the market size, in the world, the market value of B2G is about 4 billion USD. B2B is about 20 billion USD. B2G in the world doesn't have the same amount. We don't have the same amount. In Vietnam, there are two numbers. B2G is 20 million USD, and B2G is 78 billion USD. B2B doesn't have the same amount. However, if we look at the size of the world, the amount of B2B in Vietnam is about 100 billion USD. In the world, B2G is about 4 billion USD. B2G is about 20 billion USD. B2G is about 20 billion USD. The scale is very large, but there is not a factory that can donate to this factory. This source is from Viet Nam 2020-23, which is quite new. This is about the opposite of the market. This project was launched. What is the platform for the B4G? We use the Viet Nam plant to open this plant. Viet Nam is a plant. The plant is handed over to the Vietnamese people from our company in 2011. We use the material to open the plant at the front of the plant. With these two sources, we have created the B4G product. What is the design of the B4G product? It is quite simple. The B4G product is cheap, it is software-based, with 14 different softwares. The main thing is to open the material to compete with the international competition. It also provides a lot of softwares. The main thing with this softwares is that it helps to open the material and one of the features is that you can use many softwares. That is to analyze, search for the components that are suitable for the softwares to participate in the competition and send emails to the animals. It is quite simple. I think that all the members here can do it. And our goal is to create the plant from a group of members who have two members who are from Vietnam, from the school of... what is the name of the school? I forget it. There are a lot of practices in Vietnam. You practice in a few months and the time we teach you this project is in 2018, in one month of Tet, we teach you how to do it. After you do it, you say that the product you use has successfully run and we test it. And when we test the product, we open the market and put the sales department in to start selling. When the market is in a good mood, we open the market and complete the product. It is very simple. You don't even have to use it. If you want to try, you have to send the email address that you want to send to your friends to send you the information. You don't have to use it. It is very simple. You have a last birthday of Mr. Mò. You have to use it for a month. After that, you continue to develop that project. You work at the company, you develop that project. You see that this is a startup project. This project was made in 2020 in the end of 2022. We took the risk to get a price of 60 billion. 60 billion. The business model and its business model is the data of other types of data It also has the data analysis. Then the research on the market. The data analysis is based on data analysis because you know that the data on the international market also has data of 2 million products and the price of 2 million products in the past 10 years. You can use that to analyze most of the data Okay, this is one of the main features of the Info Challenge. With the slide, you can enter the Info Challenge to see how it works. Okay, this is the result. A slide is updated from April 5 the day of the new day. 2024, right? This project has been signed by more than 187,000 people with more than 66,000 businesses and more than 2,000 VIP products. This VIP product is for this tender from 10 million to 100 0.5 million. Okay, this is the model of it. Let's see. This is the implementation of the Info Challenge. Okay, some of the information about the Info Challenge. Okay, so this slide I want to introduce to you foreigners but today, there are no foreigners here. Actually, this model can be applied to other countries because any country can have a business and to expand and expand each country will have to expand its policy and this is one of the ideas to expand some of the resources for the government to expand the information and expand. Okay, this may not be related to the government but I really hope that you will be the people who will change the policy to expand. Especially for Vietnam to expand the expansion how to the government to expand its policy to expand the law if defecation is not related to the law then we can expand the law. When people are not concerned about the law, are they prepared for copyright? are they having to or do you have a chance to distinguish between the open source and the closed source? People use the Lan cable because of the law. The law is one of the solutions to help the open source community. The second is how to control the security systems. The security systems of government systems want to bring the open source to the open source. It's the same as the Lan cable. At the same time, these systems have to bring the rules and regulations to ensure that government systems are very open source. These are the two ideas. Actually, I have many ideas with the government, but I hope that you will be able to do your job again when you are young. Okay. There are only two solutions to help the open source. The first is how to control the open source. The second is how to control the security systems of the government. The management of the open source needs to provide the open source. That's the kind of information we have to use and experience. Okay. That's some of the ideas for the government. Okay. For example, we are now moving to the government through VivoSar, the government agencies, and other organizations. To promote the policy of the government, this is a way for other countries if all the countries that have open source can completely move to a project like this, such as the one for the government, or the ones for the government, and the ones for the government, and the ones for the government, okay. The plan for me is to make a plan for you to use the open source to start up, and you can start up with a lot of different ideas. And the most important thing is that we know that there is a big project called Maylan, which is a similar application like our Q&A. It's a Maymap application. The name of it is M-E-E-E. Map is a product. You can see Maymap on Google. In my opinion, they will use a method to collect information from local systems and bring it online. Okay. Time is up. And here is my song. Okay, everyone, we have a tea break, and our next talk will start at 3.45 p.m. Okay, so hi, I'm Roger. This is a follow-up session from yesterday. How many people here saw the talk yesterday in the upstairs room? I see a couple of hands. Okay, so I'm here to answer whatever you want to ask me about the tour project, the open-source world, internet freedom, privacy, censorship. So whatever, if you're in the back and you can't hear me very well, you should come to the front and then this can be a community discussion. So with that, I'm going to go through microphones. I see another one here. So raise your hand if you have a question, and we will begin. Yes. So my question is right now, I'm not very comfortable in C, but let's say I'm very comfortable in Rust, Java, and JavaScript, and I would like to know how would I start contributing to tour? Do I need to be a C expert to do that? Or is it possible to get started right away with code contributions? So the Tor software ecosystem has a bunch of different programs. The program called Tor is written in C, but there are people rewriting Tor in Rust right now. It's called RT, A-R-T-I. So if you're excited about Rust, you should participate in the RT development. If you're excited about JavaScript, there are all sorts of privacy issues in Tor browser because it's based on Firefox. So fixing the browser level privacy things would also be really great. So pick whichever of those you think sounds more fun, and jump in. Sure. Oh, you've got. Okay, thank you. Eventually I have two questions for you. The first question is, I understand that there are several governments have been trying to decrypt Tor traffic. And to my understanding, they have been unsuccessful so far, and you prepare for that things, and you think that the new technologies like quantum computing or whatever could help them, and how do you protect yourself from their attempt? That's the first one. Let me answer that, and then you can do the second one. So yes, in the Snowden documents, when Ed Snowden brought out a bunch of NSA documents, he found everything he could find about Tor and made sure to bring that out to give it to us. There were several documents from analysts at the NSA who tried to do traffic correlation and tried to break Tor, and they failed. And that doesn't mean that everybody has failed. Who knows, maybe there's somebody else who didn't have their document leaked. But at least that analyst document wasn't as good as the academic privacy literature. If they had read the research papers that professors are publishing about Tor, they would have had a better attack than they did. So that's an example where the US intelligence agency is not as far along as the public research literature was. So who knows, maybe that was just one person. So yes, are we ready for that? We're never going to be completely ready for that. We're participating in the academic research world of how to provide better padding and add more latency and overhead in order to protect more against traffic analysis. So that's a start. Another answer is most of the ways that Tor fails is OPSEC failure, operational security failure. So it isn't that they break Tor. It's that you use Tor, Tor does what it's supposed to do, but you accidentally wrote your name on your email and now you messed up and they know who it is. So most of the time Tor fails, it's not because of the protocol problem, it's because of its human is trying to use it. Continuing to this question, I wonder the method that I read that people try to decrypto it by adding their own notes into your Tor networks and they use their notes at the try to get the traffic into them before and after transferring to other legal Tor nodes. How do you detect or remove those notes from the network? Yes, so the Tor network is made up of 8000 or so public volunteer relays all around the world and because they're public and volunteer, yes, you can run one. Please run one. And that means that sometimes bad people sign up a relay. So one answer is I know many of the people who run the relays because it's a community of relays around the world. So a lot of them are run by non-profits. There's a non-profit in Sweden that it was created in order to run exit relays in Sweden. And there's one in the Netherlands, there are three in Germany, there's one in France, there are two in the US, there's one in Canada. So these are organizations that run Tor relays as non-profits and they're part of our community. So we know a lot of the people who run the relays so it's not the case that most of the Tor network is run by bad guys, but maybe a little bit of it is. So one answer there is when you're building your path through the Tor network you use three relays and if one of them is bad it's okay. They're still not going to be able to learn that it's you going to this destination. Another answer in terms of how do you detect them for a while we had people adding bad relays from Russia trying to attack user traffic and they were actually modifying traffic. They were doing SSL strip attacks on bitcoin exchange websites and the goal is that you use Tor to get to a bitcoin exchange but it wouldn't really be the website it would be a Russian mob website and they would steal your bitcoin and the short term the fix for that was we would do probes out of every exit relay to try to see if you do SSL strip attacks and we can detect it. Long term the answer was HTTPS by default. Long term the answer was always use real encryption so that you go to the real version of the website and that solved that particular problem but yes the general question continues to be a problem and the design question is do you use a distributed network that's actually distributed trust meaning it's run by a lot of different people or do you use a centralized network like a VPN where somebody breaks in and now they have everything. So I think that the distributed version is the best available option but it's not perfect. Okay who or raise your hand. Just a really related questions to that is that now we think that the bad guys are those who want to read our data but what about those like government agencies they are trying to be part like the US federal government if they want to be part of the distributed network I think they have the power to set up but enough nodes in the town network to solve monitor that stream so yeah why so think on that yeah so the worry here is what about large intelligence agencies that can run a lot of relays so one answer is we know a lot of the people who run the relays so they're not doing that they're not running most of the relays we know that because I've met a lot of people at hacker conferences I've known them for 10-15 years the so that's the good news the bad news is I don't think the NSA runs any relays because they've already invested in surveilling the internet they've already invested in watching big pieces of the internet so they don't have to run relays they should wait until this nice fellow sets up a relay on a piece of the internet that they're already watching they don't have to run the relay in order to watch the traffic that go in and out of it so I don't I worry a little bit about intelligence agencies running a lot of relays it's a worry but I worry even more about intelligence agencies watching enough of the internet that they can start piecing together which user and which traffic flows match up so yes that all both of these questions are exactly the open research questions how do we build an overlay network where we have a diverse set of locations and a diverse set of participants without letting well funded governments pretend to be users you should find a microphone because I think we're being streamed but we're getting the next microphone going alright so my question is like in iPhone when I try to install Tor browser I can find many applications of Tor listed in the iStore am I secure yeah so we have Tor browser for Android we have Tor browser for Linux for Windows for OS X we don't have a Tor browser for iOS and the reason for this is that Tor browser is based on Firefox and there is no Firefox on iOS Apple only allows Webkit they only allow Safari and every time I say this there is somebody who says no no no you see the app it's called Firefox what do you mean it's Webkit with the word Firefox written over it and Chrome on iOS is Webkit with the word Chrome written over it it's not Chrome it's not Firefox and the big companies like Google have decided to have an app that they call Chrome and the developers are confused otherwise but we want the program called Tor browser to be the thing that keeps you safe and if we can't do that because we're not allowed like the Webkit is closed source you can't change it so it's because of Apple's monopoly that we can't keep you safe on iOS now that said there's a program called onion browser that does a bunch of good stuff it's not as good as Tor browser but if you're on iOS you should use onion and yeah there's a challenge there because how do you know it's onion browser you were in this room I told you but there are a lot of fake top browser Tor advanced there are a bunch of spyware malware apps on the iOS app store and this is super frustrating because Apple built a reputation for only safe things are on the app store I don't know where that reputation came from because we keep sending them lists of malware and they keep leaving so yeah that I hope you're absolves the app store man up ask me more surely they're great can you can you talk a bit more about like the door project so the door project is a nonprofit right yes so like managing open source projects is it's can be very complicated and deciding what is the next thing to do or the direction of the project and I'm pretty sure for door project is even more complicated because you might have like people trying to get into the organization trying to set different directions and even malicious ways of like trying to get into it right so first like can you talk a bit more on how the structure of the organization works how do you guys work on this and then also like if you guys have methods in place to avoid like these malicious actors trying to get in or yeah so in many ways tour is like a software development company where we employ people and they write software and we need to get funding so some of our funding comes from donations which is great because it's usable for anything we decide we need to do but a lot of our funding comes from governments and companies who want tour to exist or want certain features like the brave browser is excited the tour exists so they pay us some money every year but also the U.S. State Department funds us in order to focus on helping people in certain countries around the world so that knowing where the funding comes from we don't get to decide what we build but we have a menu of 20 things we want to build and we try to do grant proposals and some of them get funded and some of them don't so we don't do anything we don't want to do but they can steer what are what our short term priorities are based on what funding we have so in that sense we're a software project we've got project managers and developers and we use our own get lab and so on in terms of the community side of that we have more people who are funded to work on tour not by the tour non-profit than there are by tour so there are something like 50 people paid by tour but there are hundreds of people around the world work for Mozilla or their university or other organizations that are part of the tour ecosystem they have a day job being a professor and they write research papers about how to make tour safer so those people are part of the tour community and some of them even write tour code and contribute and some of them even maintain pieces of the tour ecosystem so part of the trust there comes from us knowing them in person and going to meetings and talking to them but yes we also get source code patches and contributions from strangers on the internet and you have to look at those really carefully and build a reputation of understanding who that person is so that you know how much energy to put into reviewing their code and making sure that it's right so there's definitely a balance there where yes there are risks from pseudo-nims on the internet but also we need like there was a great person from Belgium years ago who finds vulnerabilities in projects and I said hey can you find bugs in tour I really want you to tell me what the bugs are so I can fix them and he had just been employed by some Saudi Arabia prince or something and there was an exclusivity thing so he wasn't allowed to send vulnerabilities to anybody else and my answer was I wrote a privacy system please send me the vulnerabilities please use tour and a week later some anonymous person showed up with a great vulnerability I don't know who it was but the contributions in that level are really important to making sure that it's not just us looking at the code it's a lot of researchers academics industry people around the world who are assessing it all the time so for this assessment do you have like a core like a core set of developers that you fully trust so they can actually say okay this code is correct I give an approval or what is the process there yes so one of the challenges in tour is it's actually an umbrella project of a bunch of different separate software things so there's tour, there's tour browser, there's uni which is for censorship measurement there's the metrics project there are projects working on anti censorship techniques so it's a bunch of different isolated software projects and each of them have maintainers and developers so yes for each of them there are a set of people who get to do the git commit to do the git push and there are other people who write code but then it gets written before it goes in we try to have a policy of at least two people look at everything so there's a lot of people who wrote it and some other person especially in the case of external contributions microphone is not on or it died again I have a question about the useable of the tour I have experience of sewing browsing using tour browser and I read around and in the official site they said that if I'm now then it's possibly make it faster but I'm not sure understand why it could be and how actually I can do it faster browsing with tour browser thank you yeah so tour has been slow throughout its lifetime it's gotten a lot faster than it used to be a lot of people think about the speed as I'm bouncing around the world so of course it's slow but actually the reason mostly the reason why tour is slow is because of congestion in the relays we have eight million daily users and eight thousand relays so you're waiting for your facebook page to load because somebody else's facebook page is loading so it's congestion at the relays that's one of the biggest problems in terms of how to make it faster one answer is we need more relays we need more capacity another answer is there are a bunch of researchers working on better designs for routing traffic in a smarter way for detecting bottlenecks and routing around them things like that but all of the performance improvements come with anonymity tradeoffs that make it more complicated to analyze and that goes back to the traffic analysis resistance discussions we were talking about every layer of performance improvement comes with a possible tradeoff of who gets to watch how much traffic and how much can they piece together and it's gotten worse than that lately because over the past year or so there are marketplace websites in Russia that are trying to sell drugs or whatever and they attack each other over tour and the collateral damage is there's a lot more bandwidth on the tour network than there should be it used to be that you were waiting for somebody else's Facebook page to load before yours would now you're waiting for somebody's mini DDoS to finish before your Facebook page can load and that's frustrating we've been working on techniques to try to make I mean I don't want them on the network but I really don't want them ruining your experience of using the tour network so we've been trying to figure out ways to to make them go away or to at least make the the impact on the rest of the network stop so basically if we have more relays we can reduce the risk of being slow on queuing somewhere relays right yeah so the more relays we have the more capacity we have the more users we can handle so part of it is the bigger the network gets the safer it gets and the faster it can be but also the bigger the network gets the more users can use it and be happy so we have maybe 8 million users a day now but we could have 20 million a day if we had more capacity to handle more users thank you I have a big question first of all I hear about when you're surfing the tour browser I can find something very illegal taste I just wonder how you kill which new in your team at that you can improve privacy and security and the part make something illegal maybe less second thing how to improve the connection between the network and third should we use the tour with vpn that's all my question thank you okay I didn't understand the first question but the second one was how should we be thinking about using tour and vpn together yeah about two I'll answer the second one and then I'll ask again what the first one was can I ask again the question okay I mean when suffering on your tour browser we can find something very illegal taste like a drug or a gun or a virus so how to improve the security to make a review or something about that yeah so I guess the first question is there are bad people who use tour you can find bad things on tour how do we handle that okay yeah so these are both complicated questions I'll answer the vpn one first and then I'll get to the bad people one tour and vpns are similar in a lot of ways and you could there are situations where you should use a vpn to reach tour and there is even if tour is broken somehow they track you back to your vpn and if your vpn works and they don't track you back to you so that's a reason why it makes sense to do it but one of the reasons it doesn't make sense is you're adding more surface area you're adding more places that get to see your traffic so if your vpn is perfect great that makes sense but by perfect I mean not only they don't look at your traffic but also they're in a perfect location on the internet that nobody is looking at and there aren't any of those so if you route your traffic through Switzerland first and you hope Switzerland is perfect then if the attackers are able to see traffic in Switzerland you're hurting yourself you're showing them the traffic when you didn't need to you could have gone directly to tour so that's there are people who use vpn with tour but I don't use a vpn with tour I just use tour and I'm happy should not use a vpn with tour we've got to make more traffic if you are an expert no I just know if you're not an expert don't combine them just use tour don't use a vpn and you'll be fine but if you are an expert feel free to do whatever you think is smartest in terms of the bad people question how to handle and solving that when you're surfing the tour they can find less and need more techniques to find the more techniques you can try I mean when you're surfing it can easily find some so how to improve army I mean reduce the research train using that goal with such reduced it is that so there's a trade off between usability where everybody can use the internet and tour to find everything and being able to make it hard to find certain content and some content we all agree is bad and I wish they would go away but other content is more complicated let's say I have a blog about human rights abuses in Saudi Arabia some countries think that's illegal bad content and they want to get rid of it other countries think that's very important content so how it's for a lot of content it's unclear whether we want to get rid of it but the real answer from tour's perspective is I don't know how to build a tool that keeps you safe when you're doing certain things and doesn't keep you safe when you're doing other things I don't know how to do that technically you need to have the knowledge to control what they find right okay yeah so I'd like to I mean in a sense this goes back to the encryption backdoor question where the US government and the UK government keep asking for I want to provide encryption not if you're breaking the law and if you're breaking the law you should not have your encryption and technically there's no way to build it that way where I can decrypt it but only in certain situations because once there's a mechanism to decrypt it Saudi Arabia is going to come to me and say that user is a criminal tell me who they are and I don't want to answer them the answer is to not have a system like that at all the only answer is you have to protect everybody because otherwise you can't protect anybody okay so thank you so much I want I got one down here and then I'll so how does the relay logic is it like smart how does the what work the relay logic like how does the relay is it smart based on speed and health or is it completely random so the question is how do we choose our paths so the tour client downloads a list of all the relays so it knows the locations and keys and exit policies of all of them and then it I'm trying to figure out what level to answer at each relay has a a speed that we've measured and put into the consensus document so you know how big each relay is and we choose proportional to their speed for each of the three relays and the goal of that is every circuit should get the same expected end-to-end bandwidth so that means that relays that are faster show up more often they get used more often and that goes back to your traffic analysis question which is wait a minute if the really fast relays are used more then aren't they the bottlenecks aren't they more centralized isn't that the place you should go watch more yes there's a trade-off between performance which we need to do or it will be slow and privacy where we need to distribute the trust over everything so that was part of an answer another answer is every relay has an exit policy that describes what IP addresses and ports it's willing to reach so about a third of the relays are willing to let you web browse through them and that means that if you're planning to do a web browsing thing if your tour client is planning to do web browsing it needs to choose one of those relays for the third hop otherwise you won't be able to connect to the website and there are some other attacks that cause us to choose the first relay in a way where we stick with it for a while so I'd be happy to explain the whole guard node thing in more details but it's pretty technical so should I do it should I not do it okay I've got at least one yes so the phrase guard node or entry guard in the original tour design you choose three relays and you hope that you're safe enough imagine a world where 10% of the relays are bad maybe they're all run by the intelligence agency you're worried about so if you're worried about a traffic correlation attack where the first relay you pick is bad and they see that it's you and the last relay that you pick is bad so they know what you're doing and imagine they're good enough at math to do the correlation the statistical comparison so that means if 10% of the relays are bad and I choose at random 1% of the time I've chosen a bad circuit I've chosen a circuit where the adversary is in a position to be able to break it 1% doesn't sound so bad let's say I build a second circuit what's the chance that both of them are safe now it's .99 squared now I build 50 circuits what's the chance that every one of them is safe the graph looks like this the chance that every single time I flip heads goes down to 0 so the fix for that is that we choose the first node and we stick with it and we always use it and that means 10% of the time sorry you picked a bad entry node but the rest of the time you're definitely safe no matter how many circuits you built so the design there is yes you're safe at the beginning either way but as you keep using the system I don't want the probability that you are still safe to drop down to 0 so that's why we fix the first relay and keep using it for all the future circuits and just a follow up question so you said that when the browser starts up it downloads a list of the relays say it again when the browser starts up it downloads a list of all the relays so how often is that updated is it like what's the update it's an hourly consensus and the way that that works is there are 8 directory authorities and they're the ones that so every 18 hours or so each relay publishes a relay descriptor saying here's where I am, here are my keys my exit policies and so on all of those go to all of the directory authorities and then they produce a consensus network status and they publish a new one and they all sign it every hour and that means that the clients fetch a new one every couple of hours and the reason for that is we want first of all you need to know that you're really using a network because you can imagine bootstrapping on somebody's fake tour network and then you're completely hosed but second you need to know that you're using the same set of relays, the same view of the network as other clients are otherwise anonymity analysis gets really complicated otherwise if I know that you learned about relay this relay and you learned about that relay and then I see a circuit that uses the one you know about and not the one that you know about then I can start dividing users so we need everybody to have the same view of the network in order to be able to keep them all in the same anonymity set and I see a please end sign being held up so thank you everybody and I will be around for a few minutes to answer more questions off video and I'm going to the main hall in maybe 20 minutes maybe 10 minutes I'm going to the main hall very soon to talk to all the people who are standing there and give them a summary of what tour is so thank you thank you for the wonderful discussion we had right now thank you Roger it was pleasure having you here alright so our next speaker is Mr. Daniel he's the CEO of Bitergia so he'll be sharing his thoughts about mini chaos navigating the seas of open source software metrics so sorry for starting a bit late I'm supposed to be in the hardware track but I was moved here so hello all lovers of hardware this is about software so yeah my name is Daniel Izquierdo I'm part of the governing board of chaos chaos is a project that we are trying to understand what health means from an open source perspective and health means different things for different people right health might be sustainability health might be maintainability health might be about the source code health might be about vulnerabilities so there are many ways of measuring what health is so chaos was founded in 2017 was publicly announced in open source summit in LA in September 2017 and then back then there was a bunch of basically open source communities, foundations and companies that we all believe that this kind of analysis was needed so this includes spread hat, University of Missouri University of San Carlos where I come from Bitergia company I co-founded many other companies and foundations out there a bit of historical background the two main lines in chaos one of those came from academia in the US mostly social sciences trying to understand what this means about having all of these people working together and the other line was mainly brought by the University of San Carlos and Bitergia in the sense of understanding the health of the communities and open source from an empirical software engineering so we were bringing the flavor of the qualitative analysis and the quantitative analysis so the mission of chaos and it's part of what you can see here is based on two main lines the first one is we want to establish a set of metrics and discussions to learn and understand what open source is from a health perspective what is what matters and we are structuring all of this information in working groups so you can be part of this discussion at any point all of this discussion happening in the open and you are very welcome to bring your own thoughts we are discussing here working groups that are focusing on diversity and inclusion on the value of having an OSPO in a large corporation on the value of the open source by itself on the risk analysis so there are many areas and working groups where we are defining just metrics so basically we are literally and theoretically filling templates from that perspective we are trying to define what this is what is the definition of sustainability and then there is a second leg which is about producing if we can implement basically this knowledge into software so then with this knowledge what we want to be able is basically how can we translate all this theoretical framework and discussions into something meaningful in software and this is where the second big part of chaos is basically we are developing tools that are supporting, partially supporting part of this discussions there is a third leg which is part of the mission of the community that is related to the standardization of all of this we have started now discussions into becoming or producing our ISO standard in defining what means health or what means sustainability but that is something that is still an ongoing discussion but this we could summarize probably that chaos is this why basically there are many reasons these are some examples that we can think of but mainly because health means different things for different people we don't have a single definition or single point of truth so this is why we need to rely on you the community and all the people that have been contributing over the years to chaos since 2017 to make sense of all of this knowledge we are bringing we have people from way different places so this means from as I mentioned academics, literally producing papers on this academic papers we are bringing people from the industry small companies as Viteria large corporations as Red Hat and many more, BMW for instance has been involved there, Microsoft and some others and then we are bringing the community itself in terms of newcomers, volunteers and so on so with these three pieces we can say academia industry and volunteers this is kind of the community of chaos and this is the place that you would be coming and you are more than welcome to join us if at some point this is of certain interest for you so I mentioned some of the companies here and some of the foundations people that are participating here great to see you there so we are working in an open community and the structure is more or less like this so there is a certain relationship and there is a continuous feedback look between software and the metrics definitions so in reality these should be those are not too isolated you know, spaces there is a certain intersection between both of them so that means that not all of the metrics are already implemented in software not all of the software metrics that are defined in the software side are defined in the metric side so there is just an intersection here, that's it but basically we are trying to structure information into these two main areas some of the working groups as I mentioned so we have a diversity inclusion that was indeed one of the very first working groups we did one of the original founders in the working group and so on at the time what we did was to basically understand we were running some analysis on the OpenStack Foundation to understand basically the gender diversity analysis because one of the very first questions I remember we had on the table was okay we are remember the OpenStack Foundation was in Tokyo 2016 or so or 15 they said hey, we have this amount of this percentage like 15% of percentage of women that came from OpenStack Summit then there was an answer to that tweet asking how many of them are actually contributing basically the general answer was we don't know so then we wanted to bring that in somehow so we proposed to the OpenStack Foundation and that was co-sponsored with Intel and analysis on these areas so this was kind of the founding of the DMI working group then there are other working groups you can go through evolution risk there are some more than here listed for instance there is another working group that is focused on on the value of open source for academics basically for universities in the US there is now a whole movement being financed by the Sloan Foundation on creating open source program offices for universities specifically and there are some of them very relevant so Johns Hopkins University Carnegie Mellon, CMU so there are some more Chicago, Santa Barbara, so there are several of them and they are basically checking what is the value of open source for a university so going to this specific example I could think here would be to mention that there is according to a European Union funded project 50% approximately of the cost or 60% of the costs are related to human capital basically salaries the other 50% approximately is coming from other costs that means licenses that means cost of development that means infrastructure you need labs, computers so from that percentage open source is bringing a lot of value because as you know if you start building on top of existing open source basically you will be faster developing software you will be up to the age faster than if you are starting from basically scratch with no libraries, no open source at all so open source has been seen as a way of starting to produce sustainable research so it means that over the years basically you can start putting that money or investing that money in other areas so this is the value of open source and how you can contextualize this open source way of working in different areas as far perhaps or as close as we are in a university in this case going into KS software there are three main pieces of software so we have Grimoire Lab Craigid and Ogre so I will probably focus a bit more on Grimoire Lab because this is the tool I know I was one of the original developers I'm not developing anymore I can answer some technical questions probably but basically our idea is to produce a set of free library open source software the L basically comes from Spanish language that means free as in free speech so that's why maybe in Europe you see the word floss that in English means a totally different thing basically the idea here is to implement the reference software that everyone can use to analyze the health of their project their community, their whole ecosystem so that depends and an ecosystem can be defined in many ways so we can define the ecosystem by individuals, companies we can define the ecosystem by the projects themselves so there are many ways of defining this a bit about Grimoire Lab and then we can see some examples you can go to github.com slash chaos and you will have some more info but basically with Grimoire Lab you are able to gather information from 30 plus different data sources what is a data source? it's a key repository data sources, github data sources are any of the pieces of Atlassian stack, Chira, Confluence Slack, MatterMost, all the communication channels CICD so basically think of the tool as a way to have from idea to customer or to release a full understanding of visibility of the whole software development life cycle so you can enter into the code review activity you can enter into the CICD processes gathering and implementing the Dora metrics maybe you have read the book about the Accelerate which is the stability and throughput of the software maybe you are interested in understanding the code review maybe you want to go and analyze the newcomers so all of this information is available out there, think of the open source projects we don't typically think of this way so we have licenses, we have the source code we have the community, we have the collaboration but there is the data that we are all producing and all of this is produced in the open so all of these data sources and of course we need to follow the law according to data privacy etc etc the thing is that all of this information is there think of a commit so when you produce a commit what is the information that you are living there basically you are living your name your surname, your email address you are living the time zone you live you are living the files you have modified you are living information you are living traces of the lines of code that you have added you have modified, you have removed there is a tons of information that you are living but you are contributing to an open source project and so at least you are aware of all of the information that you are living out there when you are participating in the open which is good in any case because data my position is that it's another layer for transparency it's another layer to show trust people can trust you because you are using a certain license, people can trust you because you are showing the code you can see the code people can trust you because they can see how you are producing code they can see the data, they can see who is doing what when and where and that's part of the vision of these three tools not only Grimoire Lab basically with Grimoire Lab you have these 30 plus data sources, there are 70 plus different dashboards that you can consume this is Python 3 by the way and then for database and visualization is open search we used to use Elasticsearch they changed the license to a non open source license so we had to move to something fully open source this is fully used in production you have visualizations and reporting capabilities so feel free to use the tool yeah, have fun if you think this is interesting for you the kind of things you can produce are the ones that you can see here this is an example, this is an implementation of Grimoire Lab which is V30 analytics, in this case the commercial services that we are providing in the company but this is what you can see that is like a final dashboard Kibana dashboard if you feel comfortable with this or you have used the technology before this is more about they are still prototyping metrics if you are interested in a scale in a scale I mean to the level of the 100 key repositories, so scaling really big, this is probably the tool for you, they are now creating a layer of AI, ML on top of this together with Red Hat and that's a different tool so this is probably to understand the trends in the open source ecosystems that are of interest for you there are a way that you can compare projects and so on, so that depends on your needs, so I would say if you are interested in understanding the health, sustainability, creating your own dashboards and visualizations and going into a certain subset of projects, maybe up to 10,000 repositories or so probably Grimoire Lab is a better tool you can drill down, you can filter by time and so on, in the case of OOR you go to another level, so you go to the next order of magnitude and then ideally you can go to this 100 key, so then you can start doing another type of perhaps big data analysis in terms of the amount of data that all of the tools are producing, so for a useful ecosystem a science here for instance, which is pretty big, we are talking about the couple of hundred gigabytes of information which is, I mean certain amount of information but not that big at the end of the day and then finally Gregi, so if you've read one of the last Linux foundation reports on the Linux kernel, they are using, sorry, they are using Gregi to tokenize the information, what does it mean to tokenize basically is, you take a line of code, basically each of the words basically, you take them out so they are running certain analysis on corpus how the grammar has been evolving and other aspects, so basically this is telling here, right, Gregi is capable of tracking the contributor of its token in a line and then you can go into that specific aspect, so think of this you can have a line and then someone has modified an in or out, whatever, something in that source code line, but then the other part of the line is basically belongs to a different developer, so it's going up to, you know, down to this really detailed view, this is quite working quite well for the Linux kernel, so it's you know, millions of code, so there is certain scalability and the purpose is totally different than the other two tools this is a different focus so then you can have some statistical analysis basically on ownership specifically, might be useful for instance for due diligence, merchant acquisition so there are different areas um okay, photo is taken perfect, so how to participate, if you are interested in this technology the discussions we are having and so on so please go into chaos.community so this is the website you will see different areas there, indeed let me show you the website which is probably better the other one yes I was opening this okay, so you have basically this is the usual website for an open source community, nothing really fancy here but in the about section you will learn about the charter, the code of conduct, data policies, we are now working on ethical use of data, because at the end we are talking about private data somehow so we need to take care of this governance and the governing board, so the governance is basically the charter itself but defining how we work working groups, that you could be a working group, so there is a whole path to be part of the community for a contributor, maintainer, working group leader, you can be part of the board at some point and then governing board, there are many people, so you can click there not a big deal from the calendar perspective if it works yes so you can see all the different projects, okay, and then you can see all the different projects that are working here if you remember, I saw you like four of them at the beginning, we have all of these so academic working group Africa meetings, so there is now a chaos specific meetups happening in Africa region, the Africa system Asia meetings just recently started, so maybe you've had the chance to meet Divya Mohan, I think she works for Amazon Web Services so she's the one kind of now starting to run the discussions, she's based in India, I don't know exactly the city the community management data science, DEI diversity equity and inclusion metrics discussions, OSPO for open source program offices, science and research software meetings, which is the Primoir Lab and then some other chaos meetings, so I'm running out of time, so I just wanted to show you this, please go around, check the technology github.com slash chaos all for you to have fun, so thank you for your time any quick question any questions okay, so what sort of metrics do you consider like a healthy versus an unhealthy project what are the main metrics you look at so the question is how are the metrics so what are the metrics that are part of the definition of health okay that's a tough question so thank you for the question that depends basically on your definition of health, example here is what is what matter to you if you are running a business so probably you would like to have a certain you would like to see a certain activity in the releases, you would like to see that they don't have you know like a lot of security vulnerabilities that they don't have certain things but then you can enter more into this and if you think about the for instance the concept bringing here the concept of silver wheel of materials any large corporation out there is having at least is a silver wheel of materials of 15,000 pieces of open source that are part of their you know usual business so if you are running a bank probably you would like to know if there is a problem in any of the 15,000 pieces of code that you are using so for a bank probably would be really useful to learn if there are poorly maintained areas of code or if there are projects where there are no developers so that could be a good definition of health for others for instance for academia perhaps the size of the community is not that important but then the quality of the results within the community so perhaps they are more interested in replicability of the results and some other things basically I would give you back the question and the question to you is what is what matters to you how would you define health yes there are some case studies that we can I can serve really quick couple of them let me go so this is a presentation I gave the other day that we can go really quick so case study we can go for this one this is retrat an open safe and CNCF ecosystem so what we did is if you see all the dots here this is a developer and then there is a line here if there is a contribution there are developers that are participating in more than one project so we have Kubernetes we have Falco this is for the whole CNCF ecosystem a few years ago we have a lot of developers here that are working in many different projects this is my definition of health having a really messy community from a visualization point of view but that's my definition of health this is a case study that was useful for Red Hat to understand the relationship between open safe that is a distribution of Kubernetes and to the rest of the of the community and this is thanks to this analysis basically the community manager back in time was able to use to move from a more art perspective basically I know my 200 developers to science I need now to start making decisions of 7000 developers how can I do it without data so that's the thing that this is just one simple example there is another one that I suggest you have a look at it this is a report that we did now I'm changing the hat here so this is Vitergia this is the company but this is a report with Mozilla community using Grimoire Lab so if you go to report.mozilla.community you will see a full analysis of the whole contributions contributors based in Mozilla that includes Thunderbeer, Firefox that includes all the localizations all the knowledge based they have everything is there condensed so this is their definition and probably what you can see and the analysis that you can see there is their definition of health specifically for the Mozilla Foundation case study so I would say that depends if you are asking for a canonical definition of health this is what we are trying to define in the standard but that's going to take a bit thank you I think we are out of time right so yeah we are almost done so thank you, thank you for the presentation it was wonderful