 Welcome back to the channel of ChaosZone TV. This is day two of the remote chaos experience. And we have a full schedule for you again. So let's just dive in. We start with the talk, get your tools offline. We will talk about how you can just build up your infrastructure from the ground up. And so I welcome Martin. And he always likes to take things apart and put them back together. And he started with a KC86. So he will present to you how you can handle this yourself. Martin, the stage is yours. Looking forward to it. Yeah, thank you very much for the introduction. Thanks for me. Thanks for allowing me to open my toolkit for you. So I want to ask the question, how much cloud is useful? And how much is just for convenience? And how much cloud is too much cloud? If we want to protect our data and save data, but also what our priorities are. So where do we need cloud? Where do we want it? And is it possible or maybe even a good idea to not use any cloud service? So I'm playing around with Arduino a little. I will show you what I do in my free time. As mentioned, I always took things apart. And it was also always about solving simple little problems and sometimes more than that with Arduino and others. But that's only supposed to be an example. For all the things you can do yourself, for all those who already know about Arduino and others, hopefully you just feel right at home. But for others, maybe there's new ideas and I'm looking forward to feedback. Because for me there's always a lot more to learn and to do. And I really like to play and to discover new things that can be done with little work. And of course you can always invest more time and energy and do things that many people wouldn't find reasonable. So I'm coming from the software world and for me hardware is just another reincarnation of software. So software with other ways. And for me that's more than enough to start with. To make it easier, I made a collection of common mistakes or errors, people who work with hardware will certainly know about them and encounter them on a regular basis, but it's painful to get there on your own. So a lot of things could be easier than I encountered it. So this error collection can maybe help you evade these problems. So please stay critical and yeah, I'm looking forward to feedback. About me, around the 2000s I studied computer science in Dresden and then I got to my current employer. I'm working at a German online seller and that's why it plops because I'm also working with DevOps. That's just all the things I do. I find it fascinating, organization, software and then in my free time also hardware. And then I discovered Arduino and others. So when I'm not working on disassembling things in my free time, well already in my study time, it's said that you get the most information. Information about the system when you destroy it with a lot of energy. So I'm not about destroying things, but I'm curious. Another point was data protection. And so I want to see how does a system work on a most basic level and what kind of data is necessary and how does it have to be there so functionality works. So in short, isn't there an easier way with less data? And so I arrived at these projects. I want to talk about these examples to show you and to encourage you to think about easier functionalities or if you really need the cloud services for these tools. And I want to start with the project Secure Chat. I already presented this in August. The smart home topics will be just briefly introduced. I'm thinking of power sockets that can be turned on and off using Wi-Fi. So first, why am I talking about this? Why am I talking about this here? What is a cloud in my context? So for me, everything, all the services hosted in the World Wide Web are cloud services for me. And everything that I can reach using simple tools nowadays. So with hosting, I'm talking about things where I don't have to handle hosting myself, I don't have a server myself, I can just use a service online. And if you have a local server, you need to have a proper rights management and you have to see convenience as a must. So on a cloud service, I don't have to care about updates and the like. So access control is also done for me in this case. Hosting itself is happening at a different place. I don't even know where the actual server is located, somewhere in the World Wide Web, maybe in the computation center of Frankfurt, maybe somewhere else. But this means I can access this from everywhere. I can go there, my friends can there, even from the other side of the planet. In addition, I'm getting another couple of features here. But the things I need are definitely being hosted. The protocols, I would like to use for that, but also the providers also put other functions there, other measures there. So the service usually takes some kind of data, usually easily very simple structure, which they then make available. So quite often you have some way of graphical representation, graphical user interfaces, plots and analysis. I wouldn't personally build for myself because I wouldn't really need that statistical analysis. Typically it's also available in cloud services. This is provided in a generic way and the service basically provides an improved connectivity with other protocols. So data storage is done in a way that many users can use this data in other formats in other ways as I would do that. So for me, the tool just would need one format, one single format, not all these different paths. In the cloud, typically if you want to export data, there are lots of protocols, lots of endpoints there, some to use data and apps on a mobile phone, some to use them live in a smartphone, so in a smart home. On the other side, there are costs attached to that, costs like maybe direct costs depending on the provider for using a service or paid by other business customers. So other customers pay for that and I'm getting advertised. In addition, I need to create an account. I need to log in because this data needs to be attached to my account here, so I need to create a login, hopefully anonymously, pseudonymously and having a password. So this then means I am dependent of the API. So I'm logged in into that data, data is going to be exchanged, meaning I'm dependent on this provider. I'm directly dependent on the availability of the service, some reachability, can I even reach this service? And on a long term, I'm dependent on the API. So what's then interesting is how this thing changes over time. So I see cloud services changing all the time, not saying that every cloud service has to change, has to be fixed in any way, but we see that they change all the time and I'm dependent on this, on this, this API is on this. So any change, any changes in the company policies of this provider have direct impact on my own project. So I had this one case where I was using a certain provider and one month in this, this provider was acquired by another company and the service was gone. And so was my project. So there's other questions about access. Do I have the devices that, that can connect that, that one? Like smart home, smart home blocks, like the fire TV stick. And at least at that point, I need to trust the provider or the manufacturer what they do, that they handle the data, get generated by me, by my devices in a safe and secure way. So that they only, these devices only do the things they are made for. And especially when I'm talking about the Amazon fire stick, Amazon even asked you to store the, to store the credentials for my passwords in the cloud, which kind of opens the, the way for them to use this in any other way. So I'm not only depending, depending on the service to be available, but I'm also on handing these, this kind of information in a, in a sensible and safe way. So all of this means I should at least start thinking about what happens with the Wi-Fi password. So I know that, so sorry, I know that there is a relationship between, for example, the Fritzbox MAC address and the password and so maybe this, maybe even knowing this Wi-Fi password information like that would, would be, would allow this provider to access some data on my Fritzbox. So last but not least, access to access these services. I need to, I need to open certain ports. I need in the firewall, in the router and in any case, the, the background volume, the background traffic of my own local internet access, it will increase. This makes it more difficult to secure my, my own network. It makes it more difficult to monitor my network. So for example, if, if there is nothing, sorry, if I don't have any, any device I don't know in my network and I watch, I monitor my traffic and see that certain peaks at a certain bound of time, I can, I can draw some conclusions from that. And if I have devices that use external cloud services, there's a lot of background noise that does not allow me that to do it. So at least if I have something like smart 20 different smart home plugs, you see the video conference is going, slowing down just because of the, the additional traffic. So the service provider, the, the, the service provider can, can secure against that one, because they have the financial, financial power to do that. But, but because of the large size, there's a large attack area for them. It's, it's, it might be very easy to, to, to, to spy out the data on the service provider once, once any kind of hacker, so I need to trust the service providers and for, for that as well. And yeah, you might want to think about that. So the transport layer, it's not certain that all the data that comes from Germany and has worked with in Germany also is rooted through Germany only. So sometimes the traffic takes roundabout ways over other networks. And that can happen easily. Of course, there is a lot of interested parties and a lot of states also together data in Germany and Europe. So it's not, certainly not the case that the data is invisible. At least metadata has to be seen as public information. All those are, in my opinion, the big Achilles heel of the systems. So if I have local services, what happens then compared to this cloud communication? Offline communication is, in my opinion, so less is more and less redundancy. So you focus on what's essential. So of course, we want to produce less data. So that makes it easier to protect the data, of course, but it also makes it easier to handle the data. I can also show another view as well. We might need less power because everything is local. And it doesn't have to be sent somewhere to the US over the worldwide web or to Frankfurt, but everything stays local. Of course, servers here take power as well. And of course, I am wasting some CPU power, but still, I feel like we have an opportunity here to save energy as well. And at the same time, make it easier to protect our data. That isn't to say that you shouldn't have a backup somewhere else, because when your house burns down, everything is gone. But it also means that we should really think about what data do I need, when and where. So reducing the attack surface and reducing power usage. For that, you need a lot of small chips. But I think we have those and I think we can do a lot of those. I know that this is going to be a big discussion point. But I know that this will be a big point of contention. So I'm looking forward to the discussion. So let's focus on the details now. The graphics that cloud services usually provide, that looks very attractive. Well, I think so the graphic user interface, I don't think we need it. But I know that many beginners do need it and that enables it provides easy access and lowers the threshold to join in. To also make local work more attractive, we might want a nice UI. So connectivity is reduced, usually to the format you work with yourself. So this advantage that you have many different formats and can convert everything, which is one of the pillars of cloud usage. I don't think that's an advantage at all. The format that I usually use locally, that so I don't need all those formats. So the cloud provider, of course, needs it, but I don't. So usually the private user also doesn't need the scalability of a commercial cloud. I usually generate the same amount of data all the time. And I won't suddenly grow 200 more rooms in my home. So for the business, it might be interesting to have scalability. But for the end user, not really. So this is the setup that I start with. And I'm thinking, okay, what can I begin with? The most elementary need that I have is a reduction of data and control about data and passwords and encryption, of course. And an extreme requirement about localization is also smart cards. You can have Java applications on the smart card. Energy is taken from the NFC field around it. And of course, that can do extreme things. So it's very local. My ad hoc system is my ad hoc system, basically, where I can have local applications without needing a cloud service. So there are cloud services for key exchange, but I don't need it. So now I have a choice so I can use one or the other. And I think that's the main point that we often have a choice without knowing. So this application here was presented at the conference Datenspur 2021. The application is well documented there. So what is it about? It's about exchanging keys and clever usage of keys. Such a smart card is a nice small computer, but to exchange the data on a smart card, you need a terminal. Right now I'm doing that with a smartphone, but it's universal. So it's a very minimal element. So a smartphone has a lot of parts. It's not offline, but the main functions that I need for a smart card are rather simple. And there's a lot of devices with this. So I need NFC and some display for text. So basically it really looks like a job for an Arduino. And of course there are variants of implementation. So but just using an Arduino also improves security in my view. So yeah, I can focus on a small chip and I am independent of other systems. Why should a key be on a smart card? Why should it be encrypted to just explain the crypto thought behind it? So the idea is that I can get good cryptography if I really have some random key. This is one of the most elemental things in cryptography. I need a really good key. I need key exchange, which needs to be confidential and secure of key or information, whatever. There are some, of course, some public key schemes, but at some point, someone needs to trust someone else. Some device needs to trust some other device to initiate this. And the most simple algorithm is using one key bit for one bit of input, which is called the one-time pad. And this one bit is never going to be used again. So I have a rather secure algorithm, which is just doing a saw for each bit, bit by bit. And then I'm done. I can put this into a machine, but if I do lots of other keys there, then I'm going to have side channels. Lots of things happening in the machine. So because if any of this information about there gets leaked into the outside, I'm lost again. So I want to have some simple device that cannot communicate to the outside. And this means I have a very simple and clear implementation. So this was one example here on the left hand side. You see the smart card. And and in this, in this, this, this place here, you see this, it interacts via NFC. We have the Arduino here. This is just the USB 2.0 adapter as a power supply. And some 3D printed plastic, plastic case with a touch screen so I can easily, easily enter text and get decrypted, encrypted or decrypted to take out, can just easily build this everywhere on the road. And if I switch this to secure mode, timing between these. So there's some, some timing. I experienced some timing problems, some energy problems on insecure mode, but I think that's fixable. So this would be one way where I don't need any cloud service. I have some alternative and I can choose cloud as a change of place for the key exchange. I can still choose, choose whether I use the cloud for the key exchange or some smart card here in this case. And it doesn't have to be like that. It doesn't have to be a cloud. We also saw some application with someone built this into a wing for the finger. Some other possibility would be, would be music streaming. So not only music streaming for for adults, but especially music streaming, voice streaming for kids. So there have been a couple of projects. So let's have a look at my variant of that one. There's some hardware fork. I just call this Woody, because I, for some reason, I printed this in wood filament here, whatever. So at the end of the day, it, it, it worked and it's pretty intuitive for the kids. It's pretty intuitive. So I don't, so my idea is I don't want to have a compactive or FCDs because they are, they are, they can easily be, be scratched and or damaged, but I would craft. I want to have some, some night light as well as a visual function. But the main thing is, is, is this, this playing MP3 for the quits. So there are a couple of solutions there, many of them are cloud solutions, but I didn't like that. So I didn't really, didn't really see why this needs to be in the cloud here. So and propriety and unflexible in the sense that it's very difficult to, to, to play your own text, your, your own music on that one. So. And also usually these things are very, very expensive. So, so I was wondering why should I pay that much money if all these things is, is supposed to play some content, some music. So, so I started with this, this little thing here. So this, this, this simple chip here does most of, most of things here. So, so I plug in an SD card here. It has these two pins here. I can plug in a loudspeaker here and this little, the board, this little chip here does all the rest of that. Exactly what I clicked here, play, stop playing, can't do much, much more than that, but I don't need much more than that, actually. So that's why we're started. And if you start with that one and then continues and continue, then you come to this weird monster here, which looks pretty weird. So there's some, some, some open source project called to renew or hack a day, some, some hack a day project looking at that. I'm going to, to provide the links later on. So these two projects basically built the same kind of thing. I'm taking an Arduino. I'm taking an mp3 player. I'm taking some NFC and some reader, of course, some buttons. And I either do this in some, some, some hack away or I, I, I create and add my own, my own, um, uh, board for that. So I, I directed that. And then I thought, how can I do this as small as possible? So if you, if you then, uh, then, uh, then, uh, then, um, change a couple of things in the software and improve all these little things there, then, um, then, then, uh, trying to, to, uh, to, um, make all the things smaller, smaller there. So that one. So we want to save space on the, uh, in the program, of course, and everything needs power as well. So I started reducing things. And here you can see the boot filament and if we then put everything together, we have an mp3 player. It still needs external power with a cable and the LEDs need a lot of power. And so one thing leads to another with the buttons at the front. We can, of course, jump forwards and backwards, uh, change loudness. And there's a hardware mode to program the text. So I don't need extra hardware. Everything is in this packet. The special, what's special about it, what I put in the software is that if you remove the tech, it stops, it sounds trivial, but sometimes working with hardware, the most trivial thing can be quite complex because the library is not meant for that. So it's not meant to discover a removal, but that's the challenge. So now this, now we are leaving beginner territory. Now it's about making your own stuff. So let's go to the next slides and just to show you what's possible later, but the beginning is that you start doing things local and then you can work on it on your own and make changes that you want. Another point was saving the energy, of course. So I can turn on and off individual modules. So this is a very simple way of doing it with transistor cascades. So everything can turn itself on and off to save power because the MP3 module takes a lot of power on its own. Basically, you don't have to do that. If your only goal is to have it offline, you use the MP3 player chip and that's it. But if you want to continue, you might land on something like this. It includes 3D printing and 3D modeling a bit. And then, of course, there's a diagnosis module as well. And if you are at home at one of these areas, there is so much information online already that you can just go ahead and start. And everything in here is public. You can just have it. So if you say, okay, I know a software, you're almost done already. You just take an MP3 player. You can order just a PCB online or you can build it yourself. It's not very complicated. Or you just build it already done. And off you go. And then you can just focus on what you are good at. So if you are good at software, you're at the software. If you are a hardware guy, maybe you want to build it yourself. But you can choose what you work on. So I want to invite you to join in. But I want to show you two more examples first. So there's a clocking in and clocking out a tie-in logging application. So so you can check how much time did I spend on this exactly? So I would like to have a statistic about that. So on your job, you do have to do that. And at this point, I usually have a project and then I have a project step and I want to combine those. I want to know, when did I do which step? When did I lock which step and what's the status at one time? And those are the same keywords over and over again. And again, there are online solutions. But why? Normally, basically, I just want to enter data. So I have certain keys, project key and job key. And my solution is a touch panel and just a line on the left. You have the projects in the middle. You have the topics and then you combine two. And then there is keywords and it just enters into the system. A hard key starts an application for me. It's fast Excel or Excel and it then enters the data on the back. It looks like this, not very spectacular. So basically, it's just two PCBs and there are thousands of instructions for this. And already you have an offline tracking tool. Of course, you don't have it to do it. You don't have to do it like this, but it can be also very mobile. So, for example, in the form of dice that you just turn around and it then counts how long does it lie like this? But basically, it's just two systems that I need for this. Maybe it works even better. So I need a sensor that tells me the orientation. And I need a small logic unit. So I used an ESP32 and a tiny Pico to just make it smaller and fit it in there. And the sensor. And that's it at the end of the day. And these two log in at a local FTP server and a very simple script just uses a very simple script to just write into a file. I don't need a huge service for several hundred Euro to manage that. And you can take that further, of course, in the topic smart home. There was this talk at the DS 2021 done by Honky how to hack Wi-Fi power plugs or power sockets. So it's not that complex, but with more than 20, it can become difficult in one Wi-Fi network. So there is some more work with all these applications you've seen. There's a lot of chips that you already available with a lot of documentation that you can just use and they are quite good at this and they are cheap. I have a lot of possibilities of interaction and sensors and for the IO, there is even more options as a platform as a calculation machine. I used Arduino with the AdMega chips. I have the ESP32 and its friends and Tinker and all those I can use and I can just use them and exchange them. So there are a couple of sources of errors and mistakes. So let's just briefly sweep out that one. So there are many possible ways. For example, for example, problems with your power supply, for example, bad contact at your web port and timing problems, but that's a bit too difficult for that. So always expect several mistakes, several errors to happen at the same time. And always start with wire, don't start wireless, if that's possible. Because the initial setup is the easier it is to find the error there. So let's catch things short here. I'm very happy for the invitation to talk to you here. If you have any questions, I'm happy to answer them. OK, thank you very much for the talk and there have been a couple of questions here. So, for example, where can we find your slides? OK, good question. So I'm asking the directors where I can put them, but I probably just upload them to my GitHub here. But direction has already said that CCC will be able to host them. So that's a bit of a critical question. How things look with the Java smart card, whether there are any updates for them even. So a question is what do you actually want to update there? So, of course, you can always change the card and the logic is pretty simple and offline. So just treat this as something like some kind of hardware token. So I'm giving the feedback to Stefan Radke, who's managing this project. So next question is more of a comment, which is that the activation of cloud services sometimes makes even hardware obsolete, like Internet radio receivers is there. So there's a question here, more related to, I don't know. So what's the question? What do you mean with tools? So the question is where are these offline tools, but the way I understand your talk is that the things you built here is what you consider to be tools. But if you want to add something to that, OK, yeah, exactly. So I mentioned tools right in the beginning. My tools here are, this is my combination of my projects here built from all these projects here and the tools, the tools, the basic tools here are Arduino and Co, Raspberry Pi, and all these sensors that are out there. Yes, exactly. So that's for the question I had coming in via the pad here. So thank you very much again for your talk. And so in this channel here. We have a break of 45 minutes and next talk here is information. What are you looking at the documentary on privacy? And and yeah. Sehen wir uns dann? Here again at at 1300. Have fun. See you then. This was the translation done by B and Easegram of the talk. Get your tools offline. If you have any feedback about the English translation, please use the hashtag C3Lingo on Twitter and our masterminds here.