 Okay, cool. Hello everybody. My name is Stitch. I'm really happy to be able to present something today. I'll be sitting down because this is... I see this also as a sort of training round to do presentations. And I wanted to try a more different format than give, talk and show slides. What I wanted to do is just show a few things that happened that I and a few friends of mine created. And then you can all ask questions. So where the context misses, then I can fill that in. I've got... If things are going to happen, so I can show you what this is all about. So the talk is called Fillmap Transparency Improves Security. We've tested the setup, yes, so it works. So with more transparency you will have better security. And what I'm going to show you has solved thousands and thousands of vulnerabilities in the Netherlands. And yeah, I'm just going to show you what it is and then show a nice surprise. First off, this is the Netherlands, if you're not familiar with it. It's the neighboring country of Germany. And what you see here are municipalities and the quality of their security on websites. Now here we have a nice slider and we can show the quality of the security over time. And with a nice detail, look in this region, these organizations merge, and now you will see this one disappear in a moment. So with different regions over time, you can still see the quality of security. And as you can see, there's a lot of red and some green. So some are doing pretty okay. They all started out red. You can see that for every region there's a number of addresses. All these addresses have been harvested automatically through DNS brute forcing, certificate transparency, and other means. Also, what's called NSAC, DNSAC hashing that allows you to walk the entire zone. So you can find all addresses of subdomains of an address like Amsterdam has 250 addresses and you can just get them all if you use DNSAC. So there's something more. You can see the amount of improvements over time. In the past four weeks, these numbers are a bit skewed, but they represent the upward trend pretty well. You see the number of organizations and how many are doing well. And what came from zero, you see over time that from A to 12 until 31 are doing pretty okay now. You see how many URLs there are scanned. And what you see is a lot of these URLs are being cleaned up. They are being removed from their DNS. So a smaller attack surface, so better. More statistics. And also here you can see somewhat downward trends with certain security things in the past few months. You can see who is the worst, who has most problems. Amsterdam is now sharing the first place with Goysemeer. They used to have 90 high-risk thingies, so now 22, so they're cleaning up pretty well. It shows when the last changes were and finally you can get a report. And it says, this problem exists. This is the documentation, you can check it yourself. And this is, all this data is being refreshed every day. So all the 5000 URLs will be scanned every day. Since we are in Germany, we had the idea, let's roll out to other countries. And that was pretty difficult. But this is a better feature, as you can see. If we type a nice command, extra crunchy cyber, we can switch country. Look! And there's a lot of domains here. It's a bit slow due to caching, so we are in Bayern right now. Let's click and see how they're doing. Look, they're doing pretty well. The numbers don't even fit the box anymore. So last two days have been very hectic to make sure this could happen. And let's just check if there's indeed a problem with their certificate on their most important domain. Great! So, beautiful. There's a separate type of entity. It's called Regierungspartier. I have no clue what it really means. I try to understand how bureaucracy in Germany works. But I just stopped after a few days. And turned to the enlightened people of OpenStreetMaps. So these are just two layers. But there are 11 layers. And the goal is to add all the 11 layers to the map. And I can show you here a little bit of that. Have I shown everything? So here are the bureaucratic levels of Germany. And we are now here. And in a few days or weeks we'll end up somewhat here. You don't need that. No, we don't need that. But where should this go? Till here or something? No, part of the town. So this is much too much. Okay, so... I think Bert's user and somebody interested in detail will look for State District. Because he lives there or his employer lives there. Okay, for the people listening at home, it seems that we only need to import the first three regions. Those are the most important ones. And for small towns it will go to level five. Well, luckily all of this has now been somewhat automated away. So here are those levels. And already there's a problem when you dig into deep. Because the amount of data you have to process is immense. So we had some out-of-memories issues. So more bigger machines. The URLs are taken from Wikidata automatically too. So now it's just a matter of saying I want to import this region. And then it automatically gathers the URLs that match. And it also checks if the region is really in the country for some reason. And it should be able to deploy this pretty quickly soon. But there's one problem. The site here is in Dutch. And I was wondering if there's somebody in the room that can help me with the German translation for this one. Nobody speaks German. Nobody speaks German. So it should be English here. Yes, there's an English version. Yes, yes. So who can translate English to German? Okay, please, please stop by after the presentation so I can show how it works. And then the website is also in German, which is nice. So some other things. It's a Django application. It's really small, but it saves some time with migrations and such. We have this beautiful sparkly button. And this is a function that rebuilds all the indexes that you see on the website. So we store data over time, which is pretty complex to query. And it also has different ways of rating things. It's also complex, and this reduces the complexity into simple reports. And people working with this admin interface in the Netherlands wanted to have a nice, beautiful, shiny button to after they're done with all their work, hit the button and then go. So here you can see all the... This is your standard database create, read, update, delete application. And you can see all the organizations here and all the URLs. And it still performs pretty well, even with the amount of data that's currently in the system. So this is the list of URLs. Here you can see for a random URL what endpoints they have. Usually websites have four endpoints, one on IPv6 or two on IPv6 and two on IPv4. One on Port 80 that redirects to Port 443 that has the website. That's normal. And I think in five years Port 80 will be gone, mostly or not accepted anymore. And it will all be 443. And you can see all the scans we do. So this is just a simple scan for headers, security headers on the website and the rating of the TLS done by Kwallis. It's missing a few scanners. We do have DNS stack, but we want to have some other scans. For example on Telnet or FTP that doesn't use encryption as well. And so there are some scanners that will be added in a few months. So there will be more regions that are red and that's nice to see and they will be cleaned up too. So everything, the whole thing is open source. You can download it and run it yourself. The server, if you want to run a development server, it's actually two commands and you have your nice development server. It says here, if you have the dependencies installed, you can say vagrant up and you've got your server with your database and you're monitoring and whatnot. So that's pretty, that helps. And for development, all the source code is stored in this repository, which you can check out and change and do whatever you want. It's a Django application. So it's well documented how to program for that environment and that helps. And there are some pictures in the documentation that show what the database model looks like and etc. So now it's time for questions. So do you have any questions? Do you want to know anything about this? Or how this works? Is it legal in Germany to do this? So do you have any questions? Yeah, I have one question. It's more about strategy. The goal is to bring security to a better state. And I think partly you have a psychological problem because you are punishing people, but you want them to do things. And then there is a simple standard rule. If you want people to do something, you need to lure them into what they should do. And if you want people to not do things, you can punish them. It's a standard rule. Yes, the project started called FailMap, so that's not really positive. And it really did well in marketing, like, hello, we exist, because fear. This has rearranged the priorities of the organizations we scan to focus on getting this right. So partly it has been, being unfriendly has helped because they are required to do it right in the Netherlands. So if you just saw that they're not doing it right, then they will fix it. But on the other hand, I completely agree, and we're looking into making a more friendlier name that still has the same effect. But that's pretty hard. We could call it... Sorry? Friendly FailMap. Yes, excellent. We also think of CyberMap, so the cyber people understand. So I have different shades of yellow. There was a proposal improvement map. Improvement map? Oh, that's nice. That's also nice. Oops, Matt, thanks. Yeah, so I think the project name will be a variable somewhere. It will just change it as needed. I have a second question. You do a traffic light categorization, so red, yellow and green. And in that categorization you have a bunch of security criteria. Is it possible to make maps on single criteria or on a self-defined collection of criteria? Because you just did the thing with Firefox and certificates. There are different opinions about what is more secure, relying on very sign, which is okay by Firefox or browsers, or relying on self-signed certificate, which would be clearly red now. So can people click their own criteria set? Currently it's not possible to do so. This discussion also comes from the people that are scanned, because they want to have their own local and their country-relevant standards, compared to this is the internet and there are no borders. That's a really difficult discussion, because I want to have those people out of the way, because it's the internet and there are no borders. So we want to have a secure set or secure meaningful thing. So if you have self-signed certificates with this scan, it will be certainly red, even though they might be more secure. For public sector, I think trust is an important issue. But yeah, that's a really difficult and long discussion. It also checks what you cannot filter on what issue you want. Of course, we want to do that. So you want to see where are the problems with headers, where are problems with this type of TLS certificate, because if we would say trust is not relevant, then there will be a higher grade for many organizations. But most organizations target to consumers, so if the consumer would go to the website, it would still say no. And yeah, that's a thing that I cannot solve, or we cannot solve. I think it could be something which you can use as a lure to get people into using it, if you have the possibility to enforce the security policy of an organization, as an organization. So people start getting used and they see, oh, there are several additional buttons. You can check them also. So in the statistic situation, if it goes over time, you get closer to your aim, but you don't enforce it the hard way. Correct. So that will be added on a backlog to do specific things we scan. Hi. Just wondering, how do you keep the lights on with your infrastructure? Well, the money will run out soon. But this is funded by... Well, the story from the beginning is, I wanted to do this because it had an impact. I was asked for a conference to speak somewhere and I had no, like, thing to talk about. So I wanted to make something that had an impact and in the same room, there were, like, 200 security officers of municipalities. So they instantly panicked and it was beautiful. And I liked it so much that I thought, I have to do something with it. What I did then, I talked to some people, showed it, and they said, you have to go to the SIDN funds. It's the Dutch domain register has a fund for if you have projects that improve the internet, you can request a fund from them. You have to write some documentation, but most importantly, do a pitch that they can see that you are going to do something nice. And they gave the project 70,000 euros. And that means for, at least this year, we can just keep on going and have a lot of fun. And while technically, most stuff has been realized and works pretty okay, or is at acceptable levels, the hardest part of the project is making sure it exists after this funding runs out. And that's the part where we are approaching. I think for this year, and maybe half of next year, it will be sort of fine. But then, yeah, where to host it, how to pay the bills, that will be interesting. We are looking around and talking to, like governments and certs and other people that have an interest or organization that can have an interest in this sort of monitoring on their infrastructure. But until so far, it's more orientation to talk to them than that we have found somebody that says here, make sure it works and stays working for the next 10 years. That's the goal. Another question, if I may, with the planned expansion on scanners, do you anticipate any kind of problems or backlash? Because you kind of expose people rightfully, though, but still they may say things along the line of you are just publishing our vulnerabilities and you are adding to the problem. How to deal with that? That's really hard to strike a balance there. For example, we could add a scanner that does SQL map and SQL injection tests. That would be highly unethical to do so. What would happen then is that the vulnerability could easily be exploited by others and that would result in data loss and that would go against the mission. Next to it being illegal. So what we do instead is looking at things that are not really easily exploitable unless you manage the whole network. And we check things that are checked by most scanners. Like there's one in the Netherlands that's called internet.nl. Now you can do basically the same popular news website in the Netherlands and it tests on somewhat the same level of vulnerabilities without any fear that it would be illegal. So it doesn't really hurt what we publish. Sometimes we do find something that's not okay and that's not published but we have a practice called responsible disclosure in the Netherlands. What you do is just contact the organization and say, hi, I found this. Please fix it. Normally then you can disclose it after 30 days. But now if you find something, we'll just delete it from the database and make sure that that's handled in the same way. So in the Netherlands it's funny because you can hack anything, really banks and whatnot. The only thing that you have to do is responsible disclosure. So you can start hacking banks, no problem. But if you find something, you have to inform them about it. And if you do that well, you can have talks about it and you're even the fame and such if you want. Any other questions? Maybe I have something? Yeah, you can ask me what scanners will be added in the future. So, who's going to ask it? Oh, good question. Spontaneous. Well, I happen to have a list ready. Currently, I just probably a nice... Oh, this is what we scan right now. So having transport security in the first place, we can do that because we know what endpoints exist. The quality of the transport security and a few headers. Like, can you embed the website? Is encryption required to see this website? And DNSSEC. So, is the website you're visiting matching the IP address that is associated with it? And we do that... Most of them do we do daily. What will be added? And that would be added without any meaningful risk as far as I know is more DNS stuff. So everything around mail, like SPF and DMARC and DKIM. We can check if they send secure and verifiable mail. There's a beautiful project called privacyscore.org. They check if the website leads to any third parties. For example, Google. You might not want that on public infrastructure. And it's also an open source project. And it's very interesting to add that to the list of scanners too. And all TLS services that use... That can use start TLS, for example, FTP. It's not really hard to write something to connect to FTP and see if they use start TLS. Also with mail and telnet. That's the thing we're planning now. If you have any idea what we could also scan, that's very welcome. Is there a problem with this list? Do you see... Is anyone seeing like, oh, can't we do this? So I think this probably will be added in a month or two. And yeah, more red regions for us. Yeah, that's basically all that I can show. Unless you have any questions, then that's it. What was the most crazy spot where you found a security leak? What was the most crazy thing? Well, crazy. You see, there were some really old Macmini servers on some municipality. And why do you have Macmini.something on your domain list? There's not really... All these organizations are brutally serious. So that's why we add the rainbows and the ponies and nonsense. For example, what we do to test translations is we have a language. And I have to accept this presentation mode, which works really well in this editor. Because these organizations, they don't have any funny IT things, as far as I've seen. So we have to add fun ourselves a little bit. And this is one of the things we do. To test translations, we have this language, which shows rainbows everywhere. So you can just change the setting to rainbows. And all the translations will be rainbows. And that's funny, right? So, yeah. Oh yeah, we had one thing. Because there's a lot of organizations mailing us. Like, you're doing things wrong. You have to rescan. And every day we receive four or five mails. We have to rescan something or do this or do that. And sometimes you get these mails that are really long. Because we might not be friendly calling it failure. And they call it that we have an approach of comply or die instead of comply or explain. And that needs a little explanation, maybe. Comply or explain is a list of standards that governments have to abide. And they can explain why they don't, infinitely, with no repercussion. And this is, of course, a comply or die approach. So when we got the email, we instantly changed our tagline to comply or die and got t-shirts, and all the volunteers have a nice t-shirt. So, yeah. Okay, cool. Then thanks very much. Check it out. All the code is on GitLab. You can just get it, run it, and see how it works. And also, most importantly, verify yourself that the outcome on the website that someone else publishes is actually true. That's one of the great things about this being an open source project. You can independently verify that. It's true. So, yeah, go do that. And, yeah, thank you very much. Who wants to help with translations? Nobody? At your checklist, you had a security criterion. HTTP is either without an S. You will find a site which delivers via HTTP. The site goes red. This is an example of different security policies. If I have a site which delivers static content only, HTTP may be okay because if you encrypt all HTTP traffic, you kick out all virus scanners, for example, at the organizational borders. So, an organization which deploys virus scanners at its borders is not interested in every HTTP connection being encrypted. This is clearly a matter of policy. And if you say, okay, this is a hard criterion, it's always red, you are evil, then you will have many enemies. Okay. There's two answers to that remark. First off, HTTP of encryption does two things. Not only, it's not possible for others to see what's being sent, but it's also guaranteed that the messages that are sent are not altered. So, you get the correct data that's actually intended to be sent. So, there could not be a middle man, but that's also not really true. For organizations, what they can do is they might run their own CA and strip TLS and use their own certificate for all websites. That might be a way to go around that. They could even offer websites internally over HTTPS where they normally would not have that, but that's a bit dirty. But it's possible. I think so. Yeah, luckily in this case for many of the things on this map, the European Union does this already, so I don't have to think about what is right or wrong. No, that's not true. But they require a secure alternative. Terry, very carefully. So, you say HTTP without HTTP? Yes, exactly. That's what's happening. Yeah, that is what's happening. So, having HTTP only is not okay, but if you have a secure alternative, it's fine. And this also works for certain headers. There are many applications that run on port 4 that are encrypted and don't provide an insecure endpoint. But because they are only reachable over an encrypted connection, they might not want to use certain headers. And in that case, if you have no insecure endpoints, we drop the checks for those headers also. So, the mills that we get are discussions like these also. And it requires a lot of thinking and all the decisions on that are documented. Fortunately, there's something wrong with the documentation, but there's normally a nice policy on every detail. How is it scanned? When is it scanned? What does it matter? What's the consideration? And in some cases also the links to RFCs where it says this should exist in this way. So, that level of detail is of course important. Otherwise, the risk is that you're not being taken seriously. So, try to do as less arbitrary standards as possible. So, yeah, we have this thing. And here it says what is required somewhere. For example, DNSSEC. And here it says also somewhere what EU guidelines require you running DNSSEC. So, you can run DNSSEC but have different implementations on it for different hashes and such. And that's where we use the standards that is done by the Swedish register for example. That's that. So, yeah. Oh, yeah. When I saw this image of the German religious, I just like, okay, done. So, yeah. Who would... Let's close up and stop. If you want to help translating, please stay. And then let's sit down, get Mata or something else and do this. So, thank you very much.