 Můžu to prosit o pomoci, obřel jen 3 hodíc dvěké ačky na hádejní, či by nějak to nejde. O, hádejný, tak on taky nejde v vyskutí. Jo, půž to funguje, děkuji moc krát. Já vím, no, on říká, že bychom zavzal děmu, nebo vám a mě odpřídal, takže. Jo, co predíky, no, co dělal, co dnes to? Jo, dobrý, tak jo, co predíky, násle. Haló? Jo. On takteš. Hello, everyone, please welcome Martin Strabáčka. Once again, that's better, yeah. So again, my name is Martin Strabáčka. I work for Cizotnik and more concretely for our own project tourists. If you haven't heard about it, I will try to tell you something from the three years long history of the project and hopefully you will have a nice overview. So at first, few words about Cizotnik. We are the operator of CzechTLD Domain. We are not for profit organization and because of that we are trying to do projects for the good of the Internet. Just, for example, one of our biggest projects and oldest, Bird Routing Demon or Not DNS server, and many more, maybe you heard about it. We also run the Czech national CCS team and everything we do is open source. We strongly believe in it and we are happy to share our work with anybody who wants to. So what is Project Tourist? It's a security research project at first. It's a service for helping to protect home networks. We created a tourist, which is basically a router, and it works as a network probe in the same time. We developed it and we produced 2,000 pieces of these routers and gave it to the 2,000 Czech Internet users for one check round for three years. One check round is less than once so that's a really, really low price. Because of that, why is it so cheap? Because the people who got the router, they signed a contract with us that they will share some information about their network and about their network flows with us and we are trying to analyze these data and look there for similar behaviors of attackers and so on. And thanks to these facts, we are trying to keep the Internet, keep the end users safe. When we found some attack, we are cooperating with the CCSR team who is responsible then for contacting the user and tell him that something is wrong. How it all started? In 2012, we started a project called Catalog of Routers and in this project we tried to analyze normally available small office, home office routers and analyze how was the status of these routers, how safe and how good they are. But after one year of this project, we found out that the situation is quite terrible. The home routers are definitely not up to scratch. They are security holes, cheap solutions, cheap chips. You can find really cheap hardware solutions inside and regarding the software, they are really slow at adapting new technologies like IPv6, DNSSEC and so on. And if there is any security hole or any other problem, there are almost no software updates. So there is no way how to get rid of these problems. So a year later, in 2013, we decided to start with a project to risk. We decided we need our own hardware or at least a hardware which runs our own software and thanks to the software delivers a more secure solution for the end user. But about the hardware, there were three ways to go. The first one was using existing hardware and put there our own software. This is really cheap and easy, but I can tell you that we cannot find the right device because the device is there. They don't have enough of RAM, enough of storage, enough of CPU power, so we try to ask a few manufacturers if they can modify the router to meet our needs. This is a little bit more expensive, but who will modify only 1,000 of devices if they normally produce like 100,000 of devices? Well, nobody. So we decided to go the third way, make our own hardware. This is definitely not cheap and not easy, but you can learn a lot of things. So this is the output of our work, the project to risk router. Well, let's say in comparison with other home routers, let's say a beast. If you understand at least a bit to the embedded hardware, you can easily see that from this specification. There is a dual PC processor, 1.2 gigahertz, 2 gigabytes of RAM, 256 megabytes of NAND, the hardware is able to route 1 gigabit per second without any problem, 2 USB, 2 OS, RTC chip. This is quite unusual, but we need it for the DNS stack, which is enabled by default. There is also a crypto chip, which help us to feed the entropy pool at the startup of the device. Of course, I must mention our killer feature, which is the Dimmable RGBlets. What's the operating system, which is inside the tourist router? Well, we call it tourist OS, but basically it's a fork of openWRT. If you don't know, that's a distribution for home routers with 10 years long history. There are more than 3,000 packages available, and we gave to all the users root access, so you can modify the setup of the router in any way you want. Why we decided to do the fork? Well, we wanted to add some features. We missed an openWRT, and the most important one is automatic updates. We are trying to release every month a bigger release of new updates, new versions of software, and so on. But we do not stick to this plan, and sometimes we release updates sooner. Usually this is when we know about some problem with some important software, which is inside the router. So just for example, when we heard about openSSL heartbleed or poodle problem, we were able to fix these bugs in all the routers in a few days. Just prepare the update, and all the routers checks for updates periodically, so they will download that immediately and update itself automatically. We also add there some features, which helps, let's say, normal users to set up their router without knowing much about how the network works and so on. So the configuration wizard, which is inside, is called Forace. It's written in Python, and you can see it on a few slides here. It basically works as a configuration wizard. So it will help you to set up Wi-Fi. It will enforce the user to set up a strong password, so the router doesn't work without entering a strong password. So there shouldn't be a problem with keeping admin admin in the router for the eternity. Also one of the steps in the wizard is updating the router. That's the green slides. You can see there which software were updated at the first start of the device and so on. We also add there software called Myordomo, and this will help you to have an overview of which LAN clients talk to which remote server. This can be helpful if you have just, for example, smart TV at your home and you want to see where your smart TV phones to. So if you can see in this application that your smart TV is sending something to some Chinese servers, you can be quite sure that there is something wrong happening with your TV. I'll tell you about the data collection. So what are we collecting? We collect unsuccessful connections and from both directions. That means when somebody tries to talk to your router, but the port is closed or if there is no service which answered to the questions, we know about that. Also when your router any device behind your router tries to communicate with a remote server but the server doesn't answer, we look that too. We also do various statistics from these firewall logs. We collect packet flows that data. We don't do deep packet inspection, but we look at the IP address, port and well, SNI if you communicate with an HTTP server. We also collect pinks. We are trying to ping few, let's say, important internet services like Facebook, Gmail, so on. And we are trying to compare this data and have a knowledge on how is your internet connection going and so on. Similar to the pinks, we do certificate collecting. This is definitely more interesting because we are trying again to connect to Facebook and other services like these and compare the certificates we get from the server. So if we know that 1,000 of users get the same certificate, but one of them have different one, then we again know that there is something wrong and we can contact the C-shirt and he will contact the user and so on. We also have a software called Minipot that's similar to Honeypot, but it's smaller, so we call it a Minipot. That's a telnet server, which is just the handshake with the login. That means that we are able to lock how the attacker tries different login information and so on. Thanks to this fact, we were able to catch quite big botnet made of home routers. I will tell you about that later. We also have something called Honeypot as a service. That means that the Honeypot doesn't run on the router but on our own server and if somebody tries to connect to the SSH on the router, we basically do a man-in-the-middle attack on them and redirect them on our own server. We then lock just like normal Honeypot. We lock all the comments on the attacker issue on the router and you can comfortably see that on our web page through your profile. We use Kaurí fork for this. If you are interested, you can see that on our Githl app on this link. Well, when I tell anybody about data collection, they always tell me that he doesn't want such a router at home. So, why you shouldn't be worried? We have got a positive big brother ever in 2013. We have a separate database for accounts and for datas. We also consulted our whole solution with the Personal Data Protection Authority and we keep your data only for 10 days. Then it is deleted and our last four. Four. So, what will you get for? Well, you share some kind of data with us. So, what will you get for that? For example, you can see different kinds of statistics. This is one of them. You share of IPv4 and IPv6 in your communication. Well, this is from my router so you can see I am quite... I am using quite a lot of IPv6. And another thing is passive bandwidth monitoring. So, we monitor what's... Well, how do you use the bandwidth of your connection? So, you can judge from these... You can judge how... If you need faster connection or slower connection, you can judge it from these graphs. I told you about the Hennipot as a service and this is the UI where you can see what the attacker has done or tried to run on your router. So, you can see here that somebody from China tried to connect to your router. Then he tried to stop the firewall, different kinds of firewall. Then he tried to download a file called SHAO and tried to execute that. There are lots of other attackers who probably tried something similar. We know about every attacker from every router. So, again, we can share this data with our CCR team and if there is lots of similarities, they can warn other users that there is some new... It's a danger. What's the biggest catches of the projector is? We found two botnets. The first one is made from ASUS routers. The botnet has more than 10,000 of devices and we found them through the Minipots because we found out that in the same time, lots of attackers try to connect to the telnet ports on the routers and use the same series of logins. So, we gave all the IP address and put it into Shodan and he told us that all of them are almost the same ASUS routers. The botnet was one of the models and connected to the internet. In a few days, we were part of the botnet as well. The second one was made of ubiquity air routers. There were around six and a half thousand of devices and the problem with these routers is not so bad, but the users just enabled a remote management, but left there the default login, that means admin, admin, or something similar. It doesn't matter. So, it's not a fault of the router, but maybe the router should enforce the user to set up a stronger password before they can enable the remote management. We also found a few user PCs connected to botnets, like Zeus and so on. And we found quite a lot of ISPs who breaks internet neutrality or network neutrality. That means they are redirecting communications to their own servers. Typically, they don't want to... They don't let you to connect to a remote SMTP servers or they try to redirect your DNS traffic and so on. We think that this is not a good behavior, so again, we contacted them and told them there are better ways to protect the users. Most of the data, or all of the data, we cannot share it with anybody, but we try to also help other people to stay safe. So, at least we have something called IP Graylist. This means that we measure behavior of attackers which attacks the routers or, let's say, remote PCs who tries to connect to a router. We look at this communication and we gave a score to each IP address. For example, if a particular IP address tries to scan one router, that means, well, score minus five, let's say. And if the same IP address tries to scan ports on thousands routers, that means score minus thousand. And if an IP address gets some amount of minus score, we will put it on the IP address Graylist and it's refreshed or regenerate every week. The screenshot below it, that's from some tool from our CCR theme, and every column represents an IP address of an attacker from our IP Graylist. And this blue row means that the IP address is from Truice. Other rows means that the IP address was caught also in different other services, which CCR theme scanned for similarities. So you can see that we are quite successful in measuring the bad behavior. Well, the tourist project where quite successful or we think that it was quite successful. And lots of people ask us if they can buy the router and use it in, let's say, anywhere outside of Czech Republic. Unfortunately, this was not possible due to some rules we set for the router, for the project. But we told ourselves that maybe we should do something with that. So we made a new router or we work on that right now. And this is the answer for the high demand for the previous tourist. It's called Tourismnia, and it's this one. The first plan was to make a price-optimized tourist because this, the previous one, was quite expensive. But as a side effect, well, the router is just better in every way. It's more powerful, less power hungry, and so on. We decided to fund the project through the Indiegogo. So we set up a target for $100,000 and we hit the target in 23 hours. Right now, the campaign already ended, but right now it's in in-demand mode, so we can still buy it. And we gathered almost $1 million, which I think is quite a lot. Well, so what's the hardware? Thanks. Again, we are really proud on the LED diodes. The processor is ARM, Marvel Armada, dual core again, 1.6 gigahertz. The power consumption is, well, around six watts in normal usage, but it can be as low as 4.3 watts. There is only one gigabyte of RAM, but you can pay for RAM upgrades on the Indiegogo. There is four gigabytes of EMMC memory, SFP port, which is quite unusual on home routers, two USB 3.0 programmable RGBlets, three mini PCI express slots, and one of them is switchable to the M-SATA mode. So you don't need to do anything just by SSD hard disk or reduction to the standard SATA port and put it to the slot, and you can use it for connecting your hard disk. And the third mini PCI express slot is prepared for connecting LTE modem, so there is a SIM slot. Again, there is RTC and crypto chip. We also like Raspberry Pi, so we wanted to have at least similar pins, which are available on the Raspberry Pi. So there is a pin header where you can find 10 GPIO ports, two URs, SPI and ITC. So if you are really into doing it yourself with electronics and so on, I think you'll be maybe happy and maybe you will replace your Raspberry Pi with the Raspberry 7. Oh, this is schematics how the internal network connection looks like. This is again quite unusual across home routers. The CPU has three interfaces. The first one is connected to the WAN port, and there is an OR between WAN and SFP slot. So if you put SFP module to the SFP, the WAN port is immediately switched to the SFP. If you remove it, it's switched back to the Ethernet. The rest of the two interfaces are connected to the switch chip, and the switch chip is fully manageable. So it's really up to you how will you set up it. You can let's say that the first three ports will be connected to the port 5, that means ETH0 and the rest through the port 6 to the ETH1F, and then have a, well, well, you can leave your LAN clients separate. This is how the board looks like. Well, I think that all of you are able to see the USB and SFP. This is the battery holder processor and so on. If you want to, well, if you have any questions, just ask me after then and you can discuss it with these prototypes. Software is the same as with the previous tourists. That means Tourist OS, 4Coffee, OpenWRT. It has the same feature set, automatic updates and data collecting, but it can be turned off and the policy is opt-in. And because if you buy a tourist on AI, you are not part of the tourist project by default, and that means that you can load to the hardware, any software you want. I already know about some guys who are eager to try, put OpenBSD to the hardware and so on, and we will be happy to cooperate with them once we will have some free prototypes. We always like to say that this is more than just router, because it's really powerful, so you can use it as a decent home server for file sharing, backup services, anything you want. We already know about some people who use all the tourists as a, let's say, do-it-yourself home automation center. There are two software packages for these. One of them is called Home Assistant, the second one is Domotix. If you know about them, you can use it without any problems. You can use the router also as a tour gateway or use other outsofers as the not DNS server, BERT, and many more VPN without any problems. 100 megabits per second you measured through the VPN. Everything, as I said, we love open source, so everything is open source and open hardware. Bootloader, operating system, power management firmware. If we forget something, just ask us, and we have no problems to release it. We will release also schematics and the full production documentation, but with a little delay. Well, some people told us that they found some discussion in Chinese, on some Chinese forum that they are, they would love to produce it before us. If you want one, I'll be really happy. As I already told you, it's still available through Indiegogo. Just take a look at this link or follow the link in the QR code. This is all I prepared, so thank you. Any questions? Certificate? We have different kind of software. We do not collect it on the, let's say, pocket level, but we normally through some program or, let's say, a tool connect to the server and download the certificate. So this is just for the certificates. We do not, as I said, we do not do the deep packet inspection. Is it enough? Well, for the certificate collect... Yes, I understand it, thanks. We do that on regular basis. Let's say, twice a week, we will connect to the remote service, the Facebook and so on, and then download the certificate and put them in the comparison from all the routers. So that doesn't mean that we do not, we are not looking on the certificate every time when the user connects to the Facebook. Yeah, that's our connection, our own connection from our own tool. By default, there is a package manager called OPKG, I think, and we try to update it as a normal Linux distribution. There is a script, as a wrapper script around OPKG, and it regularly asks for the update and then updates every... Well, it's the same as if you update your notebook with Linux. What is the same? Well, it's not that easy because there is... We always release a plan how to do the update because sometimes there is... things you need to take care of manually, and that's the reason for the plans. We contact the CCS team and tell them about the problem and share all the information with them. If it is, well, a problem similar to the SS routers which attack the tourist routers, there is no way how to contact them because usually it's routers from Russia, South America, and so on, and you don't know who to contact. But if it is a user PC connecting to the Zeus and similar botnets, again, CCS will contact the user and send them an email about the problem and information how to fight with the problem and they can really contact them if they don't know what to do. Well, it could be possible, but we do not support any other hardware than our own. But if you have a router powerful enough, I can imagine a few of them. I can tell you later. Yeah, it can be possible, but maybe there will be a few obstacles with the OpenWRT's build routes, a few things to tune and so on. But yeah, it can be possible. Well, if you will ask us or tell us that you want to buy 100-1000 Tomias, we will be really happy to talk to you. Not yet, but we plan to upstream all the changes we made. Right now it's basically about DTS tuning. There is... I am not aware of any other problems right now. Yeah, out of time, sorry. We have 4.4 kernel right now.