 The next talk will be given by Leonid Evdokimov, and he will be talking about Russia vs. Telegram technical notes on the battle, the stages to yours. Thank you. I'm greeting all the creatures in this hall, in the cyberspace and those who are in the future compared to me saying these words. My name is Leonid Evdokimov, and affiliations that matter for this talk are basically following. First, I love Internet protocol, and I love measuring networks based on Internet protocol. Second, I am not a Telegram team member, so no insights. Third, I was a happy Telegram user, and when the blocking started, I was extremely disappointed. Basically, I was disappointed enough to do something. But before describing the Telegram incident, I want to give a brief overview of Russian Internet censorship landscape. It will give some important context that may help you to prevent some erratic conclusions. First, attempts to filter Russian Internet segment is not a recent development. There were some activities in that area for, like, last 11 years. The first documented incident of Internet censorship in Russia happened in May of 2007. Court ordered four ISPs in Novosibirsk academic campus, also known as Akadem Gorodok, to ban some extremist websites. Those were small Internet service providers, so only small fraction of users was affected, and the incident hasn't made a loud news story. The registry that was used to block content in these ages was named federal list of extremist materials, but the registry was quite badly maintained. For example, one of the entries in that registry is exactly the following. Text document named terrorism from the folder named orders number one, CD disk number one. That's it. That's the entry of the registry. So the list wasn't very useful for the purpose of automatic content blocking. One of the notable events of that era is the act of digital resistance by Maxim Mashkov. Maxim is a cyber librarian of the oldest Russian Internet library named Libru. One of the sections of the library is named samizdat, that basically stands for self-publishing in Russian. And that samizdat journal hosted user-generated content. Once the domain of the journal was added to the federal list of extremist materials. Of course, that wasn't a surprise, because also people know that samizdat is kind of really extreme civil disobedience. Maxim decided to bring some fun or fairness to that case, and he transferred the useless domain to the ministry. So basically, he pointed the domain of the samizdat library to the website of the ministry of justice. As expected, that eventually caused some incessibility of meanjust.ru. The modern blacklist, as we know it, appeared in 2012. The law was brought to protect children of all ages from one or zero to 100 years old, from digital drugs, from child porn, and from various safety guidelines, also known as suicide how-tos. The major websites protested, but the parliament didn't care that much, and eventually the president have signed the law on Saturday. Now I know that president works on Saturdays. So how does modern earth comminator blocklist look like? It's an XML file signed with detached signature using ghost cryptography. Also, the bundle of XML file and the signature, it is wrapped up in another XML, as the file is fetched using SOAP protocol. The protocol documentation is publicly available, as well as the API endpoints for testing. The essence that you should know is that internet service providers actually control the filter and equipment they purchase. It only maintains the blacklist and monitors that filters of internet service providers actually work. So, when the blocklist first appeared in November 2012, it immediately delivered a lot of fun to us. For example, it blocked absurdopedia, basically Russian version of unsyclopedia, and exactly for suicide how-to. Of course, the grotesque of blocking of humor's content got some media attention, and some brave creature decided to link the blocklist to GitHub to codify that absurd for ages. So, two weeks later, after the first blocklist to release, GitHub and Sourceforge got a copy of the blocklist, and that copy was kept up-to-date for years. It still kept up-to-date, and it still maintained. I don't know anyone who knows the person maintaining that blocklist mirror, so the stock is basically the only way for me to thank that maintainer for all the work he was doing during the last six years. And, of course, another fun incident in the same month, like within a few weeks, some of Google services were also banned for a day or so. So, anyway, who needs jQuery libraries from jstatic.com? And I can spend the whole time slot of the talk describing funny incidents regarding the blocklist, but it's not the main topic today. But I can't resist, so I'll just name a few more. First, the Pornhub. It was a pioneer that used legal procedure to unblock the website that was blocked previously, and that legal fight, it deserves some Second, Roskomnadzor obviously loves TCP dump, for sure. That's, you know, the only sane way to explain how certificate authority or revocation lists and OCSP responders of KomodoCA were banned. And that CI ban, it caused some quite solid collateral damage and hard to debug problems. Third, Roskomnadzor either have some sense of humor or just lack sanity checks in the blocklist maintenance procedures, so it really banned Lubeck address for a while. As I've earlier said, Roskomnadzor monitors that ISPs actually implement filters. The reason for monitoring is understandable. The law doesn't matter. The fine and the penalty does. So, ISPs got some new year gifts in 2016. That was a tiny open VRT router based on TP-Link platform. Wildex, well-known Russian hacker, has hacked the firmware and highlighted some really nice facts in his research. First, API of the command and control center of those measurement platform, it was reached over HTTPS. Sounds good so far, but unfortunately, CA certificate bundle was absent, probably due to image size constraints. Also, SSH was used to do some reverse tunneling. That sounds like a usual and good idea to penetrate networks address translation as soon as IPv4 is still widely used and the modern IP is not that much, at least in Russia. But server, host K check, it was absent. So, it was basically disabled. That allowed Wildex to inject some nice screenshot of cyber garbage into Roskomnadzor monitoring pipeline, at least according to his publication. If his prank succeeded, that was the picture that Sensor was seeing in the back office while checking the screenshot of the website that had to be banned. The real issue with the Revisor monitoring system is that it is a black box, at least from ISP's standpoint. It's not publicly documented. What sort of behavior the black box has, what sort of filter is good enough, and what sort of filter leads to fines. Eventually, one of maintainers of Revisor system, the governmental employee, has written a public frequently asked questions for Revisor on GitHub to help ISPs to comply, and he claims that it reduced overall amount of fines. This sounds like good activity, but before that, some ISPs had to put that monitoring system, Revisor, into a strict sandbox that had way more tight filters that ordinary users were expecting. And, moreover, the sandbox solution was so widely discussed and so popular that it became the logo of semi-official telegram channel that discussed Revisor-related issues between ISPs and governmental employees. As soon as ISPs were first to comply with the black box, as soon as XML file contained stale IP addresses of their websites to block, as soon as the black box was actually using IP addresses from DNS to check for compliance, because all of that, some ISPs started to feed A and 4A records stride from DNS to their filters. And, of course, it was prone to some malicious manipulations by domain name owners. Though manipulations were called DNS attacks, and there were various sources of them. Some of ISPs used IP addresses from DNS to actually block traffic, that's boring, but those ISPs have brought their users some collateral damage, when domain names were pointed to IP addresses of good services. Other ISPs used IP addresses to steer some portion of traffic towards DPI boxes to reduce overall amount of bandwidth going through DPI. That's very smart and it saves some electricity, so it's kind of green, but unfortunately it may lead to most specific routes overriding ordinary routing rules, when domain names were pointing to IP addresses of peering subnets. Or, in the worst case, routers can just go on strike, when blacklisted domain names are pointed to something like million and a half of distinct IP addresses, and basically overflow routers to come memory. As you can guess, all those incidents have already happened, so no news here. I'm sorry if the history section took too long, but some faults deserved highlighting as they are quite universal across different filtering systems. So the story of incident with Telegram starts here, basically when Policeman enters the game. So what's the essence of the reasons to block Telegram? It's quite easy to understand. Terrorists who float the bomb in St. Petersburg subway, they use Telegram. Also, every ISP member enjoys slick UI, nice stickers, and videos in circles, according to news and Russian satirical videos. Some people also name popularity of Telegram in opposition groups as a reason for ban, but discussing the reason of ban is out of the scope of the talk anyway. So it's easy. Telegram is added to the registry of information distributors, so it has to comply with the law, and it has to do some decryption, magic, basically to help police, and otherwise it will be blocked. So when the Telegram was duly added to the registry in the classified location, it claimed that it will never hand over keys or do backdoors. So Digital Rights NGO started a campaign for encryption and stuff. And eventually the court cases were lost, at least in Russian courts. The case was escalated further, but it's born legal stuff. So the key point is, on the 6th of April, Roskomnadzor started to block Telegram, and following few weeks were named the first Russian civil cyber war. But let me give me a bit more context. Telegram wasn't the first messenger that terrorists love. Zelo was another one. Zelo was also used by protesting truck drivers in Russia, but maybe those drivers were meant to be the terrorists. Who knows? Anyway, once again, out of the scope. So attempts to block Zelo were ongoing since April 2017, and they weren't a complete success. And there was a leak in the end of March 2018 saying that Roskomnadzor plans to conduct an experiment to test new tactics regarding blocking of Zelo. The leak paper, it had 36 subnets summing down to something like 15 millions of IP addresses of Amazon and other cloud providers. And the leak had like nice keywords like null routing, BGP, redistribute. You all know that you have already seen it before. So I'm unsure what they actually meant with that experiment. And I don't know if the leak was genuine, but that publication of the leak caused a lot of noise in the media. And there were no further reports that could confirm of existence of a like experiment. So maybe media worked. Moreover, some illustrators drew really good pictures that could clearly communicate the overall Roskomnadzor plan regarding attempts to ban Zelo to every, I don't know, to no technical granny, for example. So back to Telegram. On Monday, April 16, Roskomnadzor starts to ban Telegram subnets. Some of Telegram subnets. As expected, no sign it can affect all the nodes. So Roskomnadzor went berserk and started banning Amazon. But Telegram worked. Finally, Roskomnadzor noticed that one of Telegram subnets wasn't banned initially yet. And of course, that didn't help them much to achieve the goal when they banned it. So berserk mode wasn't turned off. And almost two million of IP addresses were banned by the end of the day. Telegram was doing fine, but overall internet wasn't. I mean, like, from Russia. Internet was okay. But people in Russia were complaining a lot about Instagram, about Steam, about World of Tanks, World of Ships, Twitch, YouTube, Google, Gmail, and so on. So basically, everyone was swearing at Roskomnadzor by the end of the first day of civil cyber war. But actually, everyone stopped swearing the next day when the amount of banned IP addresses increased tenfold. Everyone was just speechless. There were no good swear words to express amount of frustration. And every other online tool was broken, basically. Millions of domains were affected. And in the meantime, Roskomnadzor was announcing that no socially significant web services were affected. Of course, I don't blame Roskomnadzor for mistakes in their announcements, like employees implementing the ban were obviously very, very tired and stressed while rushing to shut down Telegram. And they were in such a rush that they have banned several IP ranges twice. Submitting overlapping subnets into digitally signed a blog list on the second day of the civil cyber war on the 17th of April. And probably the equipment could handle that, the filters. But some people counting public statistics for the blog list, they got their numbers wrong because of that. But if the NSE checks are missing, they are missing everywhere. So some malformed URLs were added to the blog list as well during the incident. And the malformed URL, it actually caused some filter implementations to fail ingestion of new blog list entries, new blog list subnets and new blog list IP addresses. But I think that it probably was just a mistake. I don't expect that it was carefully planned sabotage of some Roskomnadzor employee. During the first days of cyber war, Roskomnadzor has distributed a document with some white list of socially significant services, including Google, by the way. That included websites also like Kremlin rule. Those shouldn't be banned under any circumstances. Probably that was a response to numerous reports regarding collateral damage. But unfortunately, Roskomnadzor had no legal framework for like actions. So many ISPs just ignored the document. But it caused some media wave as soon as the white list coming from censorship agency was something new for Russia that day. Anyway, the mantra regarding socially significant services was repeated over and over again. But like counter of Yandex metric or Yandex banner system endpoints were banned in the midnight of April the 27th. And VKontakte was also banned by same commit. And VKontakte is the most popular social network in Russia. So the incident last for almost two hours. And it clearly showed that, first, Roskomnadzor works selflessly around the clock. Second, Roskomnadzor still loves to speed up and still loves to feed IP addresses right into the black list without much analysis, as it previously happened with KomodoCA. In addition to generic mantras regarding socially significant websites, Roskomnadzor was spreading quite precise statements in their news feed as well. One of the statements claimed that IP addresses of Google Play, Google Drive, Google.ru were not banned. Of course, we, Azure 2 Club, sorry, were very happy to hear that. The reason is crystal clear. Precise statements are refutable. And it's always fun to refute official news coming from official news source in fake news era. So we scraped hundreds of IPs of various Google domains sending different client subnets to Google's name servers, checked, collected IPs against black list. And, you know, media loves fake news stories. And it was kind of interesting that there was more than one cluster of interconnected Google domains pointing to same IPs. Probably that makes some sense from traffic engineering perspective, but it also explains the reason for some Google fonts and points being unreachable while others were perfectly okay. But it wasn't the only fun visualization we made. On April the 19th, we took the ripetless probes in Russia that absurd filtering pointing them to randomly selected TLS endpoints in filtered subnets and crafted live Vekomo dashboard. That dashboard showed that some ISPs are basically practicing digital resistance. The reason to create like dashboard was clear for me. I didn't want for huge ISPs, those are too big to fail, to use the possibility of noncompliance as a competitive advantage against smaller independent ISPs who can't take the risk of paying fines. But members of ISP community asked us to hide the dashboard within something like half an hour. For the reason I still don't quite understand. And anyway, noncompliance story still goes on. At least for Rostelecom, the largest ISP that holds like one third of a B2C broadband market share. Experiments have shown that Rostelecom doesn't block traffic to blacklisted IPs and subnets completely. It blocks just HTTP and HTTPS traffic. And for example, SSH works perfectly. And once again, that state-owned ISP holding one third of a market, you know, like here is an example of noncompliance or basically delayed compliance I'm speaking about. The blocking, blue dots close to zero, it was delayed by something like five days while they have to implement the blocking basically as soon as possible or within 24 hours depending on various variables in the XML file. So like unblocking was perfectly timely. As the civil cyber work continues, people use proxies and tor to assess telegram. And they get indicated. And artists craft party songs about proxies, they mock Rostkom-Nazor and people have a great share of fun. But Rostkom-Nazor hunts proxies as well as telegram. And people wonder how they do it. Some people start suspecting that lawful interception equipment, also known as sorm, is used to hunt proxies. And tips come via public and private channels, highlighting instances of like sniffers. Basically, the instances were exposing traffic statistics publicly. And the traffic statistics also had a section of telegram traffic that attracts the attention of people who send us some tips. With correct statistics page, and it turned out that all those instances were pumping quite small amount of traffic, something like 20 gigabits per second. But the shape of traffic looked like real one. We looked up those instances using Shodan and we have seen that some instances had public FTP repositories with sorm binaries basically. And what was significantly worse, some instances were leaking actual users' clickstream and some personal information like mark addresses or logins. And of course, all the data was available without any authentication. So, being good citizens, we decided to report the incident to the vendor of sorm equipment and ISPs hosting the lawful interception equipment. I got no replies, but some instances were properly secured within the next few weeks. But some weren't. Anyway, we concluded that the tips we got, they had no public evidence that sorm equipment was actually used to hunt telegram and proxies. At least statistical counters about telegram, they were zero because, you know, subnets are blocked. But you also know that absence of evidence is not evidence of absence. Another telegram story that is kind of interesting is that the protest meetings happened when the app was blocked. As far as I know, it is the very first time in Russia when protest meetings are triggered by blocking offline service. The meeting was scheduled on the last day of April and the first day of May in Moscow in St. Petersburg. On the 28th, the Saturday before the meeting, number of blocked IP addresses went down from 90 million to 15. So, it's unclear if the action is caused by the activity of the society, but maybe it's just a coincidence. I don't know. But we assumed that media attention may help to reduce collateral damage caused by massive subnet blocking. And we decided to do some performance. I have previously described DNS attacks that caused a major outage of trans-telecom internet service provider. And one of the outcomes of that incident was a chart that was monitoring the account of IP addresses that are appointed by blacklisted DNS entries. Basically, if the chart skyrockets, it may be an indicator that ongoing DNS attack. I have previously registered some expired blacklisted domains for network measurements to present the results of those measurements at the round table of the parliament. And those domains were still alive. So, I took some of them and added some dynamic DNS zone script. And the script was updating the zone, so nice Moore's code appeared on the chart. And the plotted phrase was like digital resistance. Unfortunately, it hadn't triggered any visible actions from Roscomne. But another reason that could explain that is what the performance could be linked to Alexey Navalny's opposition meeting. They had some protest on the 5th of May. So, we took that as a hypothesis and continued. First, some cheap drama was added. The chart was doing countdown from 5 to 0. And it was doing it very slowly. And fake drama kind of worked. The countdown has triggered some nervousness. And the message was as friendly as possible. Russia celebrates radio day on the 7th of May. That's a professional holiday for all the people involved in telecommunication. And the message was truly pop-off. That is a well-known celebration greeting for that holiday that basically follows Pascal greeting pattern. And that message, it had some effect. Roscomne started to clean up domains from the block list while the end of transmission chart was plowed. It caused some nice fade out. But also, Roscomne has banned and unbanned, like, unperceived TLD. Maybe it was a sign of unity on solidarity, I don't know. And second, amount of banned AP address dropped significantly. Third, Roscomne started to remove expired domains from the registry, reducing possible impact of various DNS attacks. So, it was maybe a hype-driven cleanup, but the proper expired domains' maintenance persisted. And it was good for overall network stability. Maybe it was a coincidence, I don't know. Another unblocking happened on the 8th of June, and anyway, all those cleanups were followed by people computing the statistics of IP addresses over remaining banned after subnet unbanned. And the number was less than 1%. And so, some people were saying that Roscomne Azor was using terrorist tactics while fighting with terrorists using telegram, basically taking those networks as hostages. I had an assumption that leftovers of collateral damage could be also explained by something like incompetence or lack of big players in those subnets. So, I've spent days mining open data on DNS, reading an open letter to Roscomne Azor, giving off overview of blocked web resources, like Slack, GTC, PowerDNS, Doodle, Python, mailing list, Netlify, and so on and so forth. And American Niguelist Underground Society, anus.com. And the letter was also due to corresponding legal online form of Roscomne Azor. Someone survived, but it was like pointless legal speak. So, maybe those networks are really hostages, I don't know. So, that was a brief story of heated part of the civil cyber war. But the cyber war wasn't over. It became colder. One of the observations we made was a selective protocol throttling. Telegram clients picked several protocols to the proxy. Sox5 and variations of telegram-specific look-like-nothing anti-proto protocol. And I discovered that one of major mobile broadband ISPs doesn't treat those protocols equally. At first, I assumed that all look-like-nothing protocols were shaped as OVS4 plug-able transport and bare net-cut U-random. They were tripled as well. But thanks to Simone Basso, we conducted an experiment and confirmed that it's not the case that HTTP protocol that is stored with RC4-random stream, it was also absolutely okay. It's unclear if the shaper is targeting specifically anti-proto or like some other protocol, but it's definitely more complex than I originally assumed. But it also means that camouflage matters a lot while designing plug-able transport. Another proxy availability issue was observed in one of the first telecom subnets in South Russia. Anti-proto proxies operating without random padding were banned almost instantly. And it was trivial to trigger DPI equipment into resetting the TCP stream, just sending the packets to the listening TCP port. But there was a thing that was really bad in that setup. The IP and port of the network endpoint were added to dynamic block list at the DPI box for a couple of hours. And we assumed that the vulnerability that was created by that, it could be possibly exploited even from the JavaScript from browsers to ban good web resources, basically. So we decided to disclose that shady practice immediately instead of researching it further. And there was a Reuters news article a couple of months later that kind of confirmed that like experiments on live traffic were actually happening. It's unclear to me if like experiments are legal, but some people consider that it's like crying. Another proxy service availability issue was observed in Moscow, thanks to St. Petersburg city FTM. They dissected the story. First, the user connects to SOX5 server, then a map scanner comes in something like half an hour. And if a port is available, like the scanner tries to establish a SOX5 connection to telegram cloud. And if all the checks are okay, then IP address becomes blacklisted. The story has attracted some non-zero media attention from local international media. But the most interesting part of the story was left unnoticed. The only reason for me to replicate the study in Moscow subway was the ability to manipulate the block test and add the IP addresses of my own servers to it. It allowed me to conduct an experiment that I consider extremely important. We were able to measure the timeline of block list rollout using diverse set of right palace props. And statistics we got was very interesting. It allowed us to verify the tip that we got in May. And the tip was basically saying that there are actually two tiers of ISPs with regards of timing of block list execution. So there are ISPs that start blocking IP address before officially signed XML block list is delivered with API. My personal opinion is that it's not necessary crime. There are other sources of blacklisted endpoints. For example, federal list of extremist materials. Also, digital security lab Ukraine reported that Crimea has both regional blacklist and federal blacklist. But I know nothing on that region. Go ask Xenia, who may be in this room as well. And also, there were like tips coming from Caucasus regarding like stuff. But the thing that you know for sure with high level of confidence is that some regional governmental Internet blackout happened in Dengushetia this autumn during protest. Another thing we know that the race between ISPs to block is still persists. Anyway, Russia is federation. And that's almost it. As you may already know, whole Russian history can be summed up into five words. And then things got worse. And there was a law introduced to the parliament two weeks ago. The law says that Roskomnadzor will give some ISPs anti-treat equipment for free. And that the chosen ISPs must comply and employ it. They can't refuse that new year gift. And that anti-treat equipment will be acting as filter as well. As soon as ISPs deploying the anti-treat filter, don't have to buy their own filters. And there is a thing that is scary to me. The note says that Roskomnadzor will be able to control basically routing and DNS directly. And it's scary twice. First, we have already seen the level of technical competence and lack of safety checks and safeguards. I mean all the aforementioned mistakes. And second, it's huge centralization of controlling power that can be abused without any transparency. I assume that the luxury of signed XML blacklist will be gone soon. The law also introduced a registry of legal internet exchanges and lists of legal cables crossing the border to make absolutely sure that Russia is well connected. So it goes. I'd like to thank lots of people and groups who made this talk possible. Philip Kulin, Waldix, Michael Klimeroff, Dmitry Nazarov, Alex Rudenko, Dmitry Bilevsky, Vartanka Cheturov, Dmitry Moskin, Dmitry Morozovsky, Simon Basso, Maria Xeno, Moritz Bratl, Likta Blacklist, Maintainer, St. Petersburg CTF team, Roskomso Bode NGO, Digital Resistance Measurement Squadron, the one who is to blame all the revisor system fans, the NAG community, Rye Patlas, and all the relatives and colleagues who helped me to survive while doing all the stuff sometimes quite narrowly and round the clock. And of course, I'd like to thank Stubbornness of Pavel Durov and Law Enforcement Bodies because that fight made all the great entertainment possible. And I hope the story was entertaining as you as well. Thank you. Thank you, Leonid for the excellent talk. We have five minutes left for questions. So if you have any questions, come up to the microphones that are standing in the aisle and to the left and the right and wait for my signal. Microphone one, please. Hi. Thanks for a talk. During the whole blocking situation, I heard that Telegram continued working in Russia. Do you know if it works right now? Yeah, it works perfectly. Like, there are some ISPs that are maybe over-compliant and it works a bit less good there, but Proxy's work, Telegram works. For example, like Ross Telecom, as I have previously mentioned, doesn't comply with subnets and Telegram works flawlessly there. We also have a question from the Internet. Signal Angel, please. Yes. Somebody is saying on the Internet that Telegram had a canary statement on their privacy page, stating that no data had been disclosed to any third parties, including governments, and they say the statement has disappeared. Are you aware of that and what do you think about that? I'm first. I'm not aware of that. And second, I think that is like not a real, like, I don't think that we should be paranoid regarding that because my expectation is that it's just another mistake because like, Telegram team had like, I don't know, they write some questionable parts of the software. For example, Telegram client has no proper exponential back off and it can basically DDoS proxy in case of some DPI configurations. So I don't know. I think it was just a mistake by Telegram webmaster. But maybe it's not. I don't know. Anyway, I'm not part of the team. Microphone 4, please. If you're worried by the lack of competency, should you work for the Russian government? I don't know. Maybe. Anyway, I still live in Russia. Like, there are lots of useful people there. And like, I don't know, I don't think that it is the worst government we had during the last century. So things are, sometimes they get worse, sometimes they get better. And I'm not sure where we actually are. But some of my friends are paranoid and they basically seek for political asylum. Some of my friends are quite happy to live in Russia. I don't know. Number six over there, please. Yeah, hello, Leonid. Thanks for your amazing talk. I really enjoyed it. I'm just asking. We, as a German people, can we rent your expertise when we get some problems like serious parking over here in central Europe? Is it possible? Well, like, the main point for my talk was not to complain about Roskomnozor, but basically to highlight the cases when things can go wrong because of Internet filters. And so that was the point. I'm not 100% sure if it, like, completely answers your question, but I think it does. And microphone two, please. Why do you think China is more successful in censoring the Internet than Russia? So the question is why China is more successful regarding censoring the Internet. I'm not sure that China actually is technically more successful in Internet censorship. Maybe it is, but the really important point is that there are a lot of Chinese people speaking Chinese language and they have a huge ecosystem of Chinese Internet that serves the purpose of basically a billion of people. Russia is 10 times smaller. It's significantly smaller market. We have some great local content, but amount of local content can't be compared to China. So maybe Chinese people don't need to circumvent censorship that much. And maybe that's why China is seen as more successful. And, like, friends of mine works with Chinese factories. And like, while they are traveling to China, they say that circumvention is not a problem. Like, everyone who wants to circumvent the filtering in China, he does it trivially. I don't know. I don't travel to China. But I trust those who do. Microphone one, please. Eileen, thank you for your interesting work. One question for me would be, did you face any problems through this work with authorities or services that somehow feel offended or attacked? I wouldn't say attacked. Like, I have some FSB officers in my WhatsApp phone book who were, like, talking to me, asking to educate them on, basically to give them a lecture on, like, Tor network or something like that. And it wasn't, like, offensive at all. Like, they were friendly. And why not? I think that education of law enforcement is really important because, like, law enforcement is doing not only, like, I don't know, oppression, but also a lot of dirty work that has to be done somehow. And I don't know. So far, I'm okay. Maybe I'll overcome the line eventually, but I don't know. One final question. Microphone four, please. Hi, Leneed. And thank you for the talk very much. I heard a popular opinion that after this talk, it's better for you not to come back in Russia. Sorry? Can you repeat, please? It's better for you not to come back to Russia after your talk here. Well, there is such an opinion. And, like, when I was doing that prank with Morzakot, I got a message from a person from Roskomnadsor using Telegram that said that I shouldn't come back. And I was basically coming back from Belarus to Russia. And I don't know. No one had met me. I don't know. We'll see. I'm quite optimistic. Let's thank the courage of Leonid again. And thank you for your excellent talk.