 I'm Goldie, this is Pierce and our talk is an introduction to YMAX hacking. So uh, before we start off here, how many of you have heard of YMAX? Wow, okay. People at TorCamp apparently didn't know what YMAX was. Um, how many of here own YMAX hardware? Okay. How many of you here have owned YMAX hardware? Alright. So uh, so uh, alright, so basically uh, what we're gonna do is give you a quick review of what YMAX is, what companies are using it and what they're doing wrong. So YMAX is a 802.16e standard wireless network. It supports mobile IP and seamless hand-off between towers, which makes it really cool when you want to hack going about 60 miles down the freeway. Um, it covers large metropolitan areas, unlike uh, Wi-Fi. It's offered as uh, basically the entire metropolitan area. From one of their towers, you can get about a five kilometer range using a single polarity antenna, versus if you use three antennas, you can get about a five kilometer range using a single polarity antenna, versus if you use three antennas in the three different polarizations, you can increase that range to about eight kilometers. Uh, right now, the speeds that are being offering are in the ballpark of about five megabits a second, but other companies are gonna be offering YMAX here soon and they're claiming that they're gonna offer about 10 megabits a second down and uh, five megabits a second up, but we'll talk about the speed issue a little bit later. And it supports network authentication and authorization, uh, in terms of use of their resources. And most of the data with YMAX is encrypted, but not all of it. And that's gonna be the part that kinda screws them. So, how this works is, uh, basically when a client powers on its YMAX device, something similar to this right here, this is a clear home, uh, clear home router, and it's just a YMAX gateway single cat 5 port on the back. You plug it into your network and away you go. So, the way it works is when you power this on, it will first scan for the network and it will hear all the towers that are around it and find the ones with the best signal. And then it exchanges its, uh, compatibilities with the tower to say basically, I support this data rate, I support this type of, uh, error correction encoding, so on and so forth, and then, uh, sends that over to the tower. Then it goes through a, uh, authentication and key exchange. Now these devices come with, uh, certs in them from the manufacturers. So they already have a good cert and they just basically at that point go through a key exchange to encrypt all the data after it. And after you got, uh, the key exchange in a nice encrypted session going on, it goes through, uh, the registration process and, uh, this is where you get your IP address. And what was interesting that we found is that not all YMAX hardware works with all service providers. Um, an example is we bought some YMAX hardware on eBay and it came from China and we tried to use it on the US network and it was denied. So we found out a little bit more as to why this is and they're pretty much just filtering out the first three octets of your MAC address based on the vendor IDs and certain vendors get a play with them and certain vendors don't get a play with them. And, uh, so if your MAC address is, uh, approved by the service provider, then, uh, they'll give you an IP address for the network. And then, uh, after you get an IP address, uh, you go through a provisioning process and they basically look to see that you are a paying customer at this point. Um, if you don't pay your bill, this is where they're going to cut you off. They'll give you an IP address, but they won't let you get to the internet. So, um, that's where, uh, the service edition comes in here. So what we found out was, uh, to bypass the authentication process, the MAC address is the only key. That's it. Um, I called customer support and I said, hi, uh, I lost my home router. I got a new home router. Uh, what do I got to do to update this? Even though I kind of knew the answer ahead of time. And she goes, oh, just give me a MAC address. So I read her the MAC address of a card that I got on eBay and she put it in the system and it works. So, uh, yeah, it's really easy to social engineer, uh, the service providers, customer supports. They don't know a whole lot. Um, so what would be really nice is since it's just a MAC address, if you're able to spoof the MAC address, then you could either become a customer or at least put yourself into the network where you can get an IP address. And, uh, a good way to go about this is, uh, you could buy this hardware and, uh, sign up for service if you want. And if you have poor signal, then you could go ahead and call them up and say, uh, yeah, I got really bad signal at my house and I don't want your service anymore. So, uh, they'll let you out of contract now without an early termination fee. But a while back, uh, the company we're about to mention is being sued for, uh, with a class action lawsuit because they were trying to charge your customers an early termination fee when they didn't have service at their home or anywhere they went. So, uh, you can basically keep the hardware or the other fun thing is, is, uh, right before we came down here, I went into Best Buy and I just picked this up and I went to the counter and I said, hi, I lost my hardware. I just want to buy it. And I'm already a customer and the guy didn't even question it. He just sold me the hardware as is and you can walk out the door with it. So you can get the hardware without paying for service. Uh, then the other thing is to bypass the, uh, authorization process. And again, a Mac spoof Mac address would do this. But what we also found was, uh, open VPN over UDP port 53, you could tunnel right through their provisioning system. And this, I mean, we saw this like five, six years ago with T-Mobile hotspots and this was open with T-Mobile for years before they closed it and, uh, it's the same deal here. So if you have this wonderful wireless high speed network all over town and you can make your own VPN connection back to your home. If you got, you know, Comcast, VOS, whoever, or if you got a dedicated host somewhere, you could go there. So I mean, we all know what VPN servers are and how to set them up. So the other nice part about this is, uh, on the network, if you have two unprovisioned clients and they're within the same, uh, net mask and the company that we're about to mention uses really large net mass like 255 255.128. So they have these huge net blocks and, uh, unprovisioned clients can communicate with each other on the network. So you don't even really need internet and you could start making VPNs between your friends. And, uh, what's really nice about this network now is now that we came down to Vegas, uh, we left some clear hardware at home and we ended up, huh, I did say it. You got me. So, uh, we left some of this hardware at home and, uh, we attempted to connect to it. And sure enough, here we are in Vegas and our hardware sitting at home and we ended up being in the same net mask and we can just tunnel right to each other. No problem. So, uh, yeah, it's like wireless across the nation. It's cool. So, um, now what actually seems to be quote unquote protecting this right now is the fact that, um, it's a licensed spectrum. And what that means is with Wi-Fi, it was unlicensed, which was cool because we can make all kinds of tools. We can inject traffic onto the network. We can sniff traffic. It was open to anybody and it became relatively cheap and popular real quick. Uh, the difference here is, is that YMAX is a licensed spectrum. Uh, companies got to pay to use this. It's not like you can just go out and start up your own YMAX tower. That's not the way it works. The FCC regulates this stuff. So, uh, the FCC has made it a point to really come down on vendors to prevent these type of things, such as sniffing the network and, uh, you know, spoofing MAC addresses, IP addresses, so on and so forth. And, uh, it's not very open to the public and we're hoping after this talk, maybe that'll start to change. And, um, pretty much only paying customers can, uh, get access to the service. So in this case, yes, I said it, uh, Clear is paying, you know, for this licensed block of the spectrum to be able to use it. And then we sign into a service agreement with them. So now we are authorized to go ahead and use this service as well. Okay. So, uh, I'm going to be talking about Clear and about last December, uh, this company came into Portland called Clear that, uh, was offering up YMAX service and yeah, yeah. And I, uh, was watching the news and there was a giant snow storm, which was kind of interesting. And, uh, the, there were like news people walking around, seeing like who was crazy enough to be outside. And there was a bunch of these, uh, Clear guys that were like pitching their hardware and stuff like that. And like, so I essentially like put on my snow stuff and like ran out and managed to figure out what street they were on and like bought up a bunch of YMAX hardware. And so, you know, this isn't like six to eight inches of snow. Like the whole town was shut down. And then all of a sudden these guys are on the corner, like trying to pimp out their hardware and nobody is like on the street. So it was quite comical. So I was able to weather out the storm just hacking on YMAX shit, but it's pretty fun. So yeah. And, uh, Clear is essentially a marketing branch of Clearwire. Um, they do, since December, they've been had a massive gorilla marketing campaign in Portland, like big trucks driving everywhere and like big cup cakes in the park blocks and a whole bunch of random crap everywhere. But, uh, yeah, they're 51% owned by Sprint. So the actual Clear access points are up on all the Sprint towers around Portland. And, um, they have recently partnered with Comcast and they've got this Comcast to go service that they're bundling with Comcast so you can have your little, uh, mobile YMAX, whatever. Want to ask a quick question? Has anyone else heard of Comcast to go? Cool. I would like to maybe later on find out, okay, well, do you guys live in Portland or Oregon or around there? Okay. Everyone's saying yes. Okay. So you guys have heard of it. Okay. So, yeah. Okay. Um, well, that's what I'm trying to figure out is like, where else are they trying to do this stuff? Because I, there's not a lot of information on the net about it. The only information we've been able to find is like, from their website and the media sources. And the media sources are kind of behind the time zone. I'm sorry, I can't hear you. But I would like to talk to so many people in Q and A after closing ceremony. So, yeah. So, uh, the pricing scheme that they have is they have a mobile service and a home service. The home service is more, it's almost, um, modeled after like a cable modem, except instead of plugging into a cable, you're in the air. And it, uh, they have a tiered pricing scheme that's based on bandwidth. One of the things that I noticed is I purchased the lowest tier, which is $20 a month. And I was still able, they said I should only be able to download it like 100K. And what I was still able to get downloads at, uh, one to 1.5 megabytes per second, which is pretty, uh, nice. Uh, and the little home devices are $5 a month to lease or $70 should just buy it. And, uh, the mobile devices are based more off of like the 3G USB sticks and stuff like that, where it's actually, um, the tiered pricing is based on the amount of data that you're able to download per month. And I think it's got some speed adjustments there also. But, uh, those are $5 a month to lease and 50 to buy. So, this is a clear USB modem. Plug it in and, uh, it just runs and it gives you an actual IP address on the internet, which is kind of nice. It doesn't put you in any sort of NAT or anything like that. It's real small, fits in your pocket. Yeah. Just plug it in, go. Right now it only works in Windows. Uh, supposedly I was looking on their website and it said that they're going to have OS 10 support pretty soon. Um, that the OS 10 drivers exist. Okay. Awesome. Awesome. So, uh, the drivers are made by a company called, uh, BCME or something like that. Which, and the only thing that they seem to do is make wireless chipsets. But, kind of interesting. This is the clear home router. You can see it actually looks almost like a Motorola surfboard. So, uh, what that does is essentially plug into Ethernet on the back and it gives you a NATed IP address and it just bridges you out onto the, um, wireless network. Uh, real quick about this also, um, basically what this is, is the Motorola CPE 150. If those of you who want to go, like, start looking up hardware specs and have cool stuff on it, uh, clear obviously you want it to, like, rebrand it and give it their own model number and yada, yada, yada. But when you crack it open and start looking inside, it's, uh, Motorola CPE 150. Yeah. And, uh, you can, I mean, just like a surfboard or whatever, you can connect to the device, like just type in the IP of the gateway or whatever to your browser and it'll pop up the little, you know, welcome to the device and you type in Motorola for the password, which is great. And then it, uh, has the whole configuration things and, yeah, you want to talk about that. So, one of the, uh, the key points they point out in the 802.16 specification is to use these, like, advanced authentication methods, uh, in order to get people onto the network and give them service. And with this modem right here, you go to the YMAX security page and the authentication method and all the fields you see here are disabled. That's, you can't even get better security if you wanted it right now. So that's, that's seems kind of irresponsible to me. They go to a lot of the configuration options and stuff because they want you to also, like, stay only on their service and so you can't throw up any other access points or whatever. Yeah, they want to lock you into their service and they don't want to let you be able to use their YMAX hardware wherever else you go and they're trying to lock it in. So, uh, I know some of you have been raising your hands like you got questions, but we want to try and get through this. So, uh, we'll take some questions afterwards. Yeah, uh, this is an interesting device that we've been seeing around recently. Uh, I think it was originally called the WIPype and now the website's calling it ClearSpot, but what? Or CradlePoint, yeah, we've heard a lot of names for it. So, they, I don't know if marketing people can't make up their minds or what, because one week it was called WIPype and then when they started putting it out it was called ClearSpot, so it keeps changing. But it's essentially a little wireless access point that you plug your mobile device into and then it re, like it bridges, um, your Wi-Fi to the YMAX and so it has a little, uh, you know, WPA2 password and type it in and share it with your friends and so that's pretty convenient. Um, yeah, it, we haven't purchased one, but a friend of ours said that they did and they cracked it open and they saw it's just running Linux on there and so. So, there's hope that there's already existing Linux drivers out there and Clear's not releasing it on their website for us? For the ClearMobile device, yeah. But it seems that this could very well have those drivers inside it so, uh, hopefully there'll be some more research on this later. Yeah, right now if you run Linux the best way to, uh, get on YMAX is to just get one of the home devices I was carrying one around on my backpack for a long time and also what you can do is, um, VMware works fine like you can do the USB pass-through and then connect the mobile device and do it that way also. So, we noticed a few strange issues with the network. Uh, the first one that I thought was interesting was the bandwidth rate limiting. It doesn't work right. Like it says that I'm only supposed to be able to download at very low speeds, but I was getting, you know, speeds that I was very happy with. So, um, also one of the things to keep in mind if you want to hack around with one of the home devices is that they will do auto updates and the first thing that they do when you turn them on is they'll try to download new firmware updates and then reboot. Um, but what you can do is right when you plug it in quickly connect into the device, you know, type in Motorola, get into the interface and then there's an option there to disable the radio. It normally, uh, it's normally about like 10 or 15 minutes before it'll do the initial, uh, upgrade. So you have some time. It's not too much of a race, but, um, if you want to mess around with it before it decides to provision itself. And it's also, uh, these devices, when we bought them, when we first booted them up and looked at them and you scan them and whatever, they're running like SSH and they're running some different things and they've got some different issues. But, uh, the, we pulled the firmware off and cracked a bunch of the passwords on the system and stuff like that. And there were still some restriction issues. We don't know if the configuration was weird or different or something, but we still haven't managed to get a shell on the live home device. But, however we, uh, the way we were able to pull the image off this is they left the JTAG port on this hardware device. Yeah. Um, or, so, at that point it was like, cool. And we started looking at, we're looking at all the, you know, solder points on there and counting the pins. I'm like, it certainly looks like a JTAG port. Let's play with it a little bit. And a few minutes later we figured out it was, and it was pretty much an in-game at that point. Yeah. And we tried modifying the firmware and re-uploading it again, but it looks like they do actually check signatures on the, um, on the images that get loaded. So, um, wait, no, yeah. Uh, I'm only on the third one. No, clear, one of the interesting things also is, uh, clear is very slow to deprovision. Like, I stopped paying for my mobile device and it was about three or four months before they actually stopped my service. So, that was kind of cool just to have a few extra months to play around with it. So, um, what's also really interesting is when you take the clear devices to new areas or when you, even like on a different side of Portland or something like that, um, it will let you onto the network straight away and it won't, um, block you for a while. Sometimes it takes five minutes. But actually, uh, we brought a bunch of these home routers and I don't think any of them have been locked out of the system yet. Uh, actually, we got down here and this one I had bought right before we left and I, I checked it at home real quick, plugged it in, found the network, I'm plugged it before they did any updates or anything, came down here, plugged it back in and I had an internet for about like five minutes and then the device just rebooted on so and it's like, boom, you're at the portal page. So, you have a small window when you first power these on before they get to it and want to, you know, secure it, putting firmware on it, so on and so forth. So, uh, keep that in mind if you get one of these and you're interested in hacking it, I would probably consider turning off the radio within, you know, as fast as you possibly can through the web interface and then, uh, yeah, go ahead and have fun with the JTAG board. And the one that I've got in my room still, uh, there's no, it hasn't thrown up the captive portal or whatever and when the service is cut off, they don't actually really cut off service, they just put you into a captive portal because they want to be able to sell you like the, you know, one-day service and do stuff like that and, but it's, you know, it's a captive portal. So, it still lets you on the network. So, yeah, yeah. Free internet is awesome. Yeah, free internet is way awesome. Especially when it's, uh, broadband and like everywhere and anonymous and yeah, I mean, it's pretty fun. So, uh, some of the, do it yourself here, uh, you could get a Intel Wi-Fi or Ymax 5350 card or this is codenamed Echo Peak. You can find these on eBay or anywhere else online for that most part. And this does work in Linux and this is one of the cool cards that, uh, are out there that does work with Linux and it works really well. A lot of people have been putting a lot of time in on this last year to get a lot of bugs fixed with, uh, the Linux Ymax drivers and they're pretty stable now to the point where it's actually usable. So, um, hopefully they'll get it a little bit better. They're still having a couple of minor issues like the Linux drivers, uh, you can't go 60 down the freeway and, and map somebody because it's taking like four to five seconds to do tower handoffs when it should be doing it seamlessly. So, uh, they still got a couple bugs to work out but yeah, definitely for the most part it's, uh, it's cool hardware. It's just a mini PCI Express card. You can put it in your netbook. You can, uh, get USB 2 to mini PCI Express adapters and just plug it into your USB port. It works that way too with, uh, the Linux drivers. So, uh, yeah, something to keep in mind if you absolutely want to play with this in Linux and, uh, really poke at the hardware. This is, uh, this is really cool hardware because one thing that we didn't put in the slide is that with this hardware it's more or less a software defined radio. They just opened it up. So it's covering everything from like 2.3 gigahertz to the 2.5 gigahertz because that's, that's the range that Ymax is going to work in and a lot of you are probably thinking, well, wait a minute, Wi-Fi is like 2.4 gigahertz. Yeah, it is. It's like right there in the middle. That's how they can put Wi-Fi in it too. So it's just a basic software defined radio and the only thing that's defining that is the firmware that you can upload to these things. So, uh, the Intel firmware however is, uh, tied under their proprietary licensing, you know, don't reverse engineer this. Don't hack it. Don't change it. And so on and so forth. But the drivers are GPL'd. So, uh, we tried to play around with the drivers a little bit and spoofed the Mac address and the firmware is just saying, nope, not going to happen. So, uh, yeah, unfortunately the firmware is restricting us from being able to change our Mac. But, uh, yeah, hopefully that will change someday. So, uh, yeah, what not to do when you're deploying your Ymax network? Um, don't assume that FCC is going to protect you from hackers. That's a joke. Like, creating rules and regulations will prevent most people from doing things, but if people are really determined, they're going to be able to find a way to do this. And with something like this, that it's just using your Mac address and that's it. That's like your customer ID. That's you. Uh, that's going to be really bad because somebody could just spoof your Mac and all of a sudden frame you for something or you could just, you know, just get free internet. There's all, I mean, we've all seen it with Wi-Fi. And, uh, they just basically took like a couple of steps forward in terms of, hey, let's just give it like Wi-Fi, but in a really broad area and, oh yeah, security, and we'll forget about the security thing and they went back like eight years in terms of, you know, wireless security. It's like they learned none of the lessons that we all taught them over the last few years with Wi-Fi. So, it's like a T-Mobile hotspot with a five kilometer range. It's pretty great. So, uh, yeah, uh, also another great thing to do when you're going to deploy a, uh, nationwide Weimax network is listen to the specification. The 802.16e is in like, 800 plus page specification. I spent three days going over the whole thing. There are a lot of security points in the specification that they tell you, you know, make sure you do this, otherwise you could be possibly exposing yourself here. And it seems like clear ignored every one of them. Actually, it seems like they didn't even read the specification. Like they're like, Hey, cool hardware. We can make money on it. Let's just push it, market it, go, go, go. And I would really encourage, like, if there's anyone in the audience from clear that's been here, like I would hope that you would read the specification through and through because, it has a lot of good points on security. And if you follow the specification, there wouldn't have been a lot of these problems that they got right now. And, uh, the other thing, obviously, don't use a MAC address as the authentication. That's just retarded. Uh, yeah, come on. I mean, Motorola already has the, you know, the EAP and TLS authentication stuff in their hardware if you just enabled it and actually used it on the back end. And I understand that it seems to cost a little bit more money to implement all that stuff, but right now there's about $1.2 billion worth of, like, people investing in this YMAX market. If you can't secure this with $1.2 billion dollars, you shouldn't have that $1.2 billion dollars to do this with, in my opinion. That's just, it's crazy. I want to talk, okay. I think one of the business models that I think that would be nice if they actually implemented was, you know, back to the old dial-up modems with username and password where you pay money and put in your username and password and it would work because, you know, with any of your devices you just have YMAX hardware and you pay for credentials and they give you access to the system and you get charged based on that access and stuff like that. I think it would work a lot better than what they're trying to pull off now. So the other one is, you know, pre-shared search or SIM cards and I found this really nice USB to to mini PCI Express converter that also had a SIM card reader on it and I thought, hey, this would be really neat if, you know, they were to actually support using a SIM card like cell carriers do now. I mean, you do not hear about people getting, you know, their SIM cards ripped off and jacked. I mean, yeah, it can happen. Yeah, there's SIM card cloners out there, but it's few and far between when these kind of things actually happen. And that would at least be one method where, hey, this is your physical authentication and you got to like take this from me before you're going to be able to use my account. So another really nice piece of hardware is the, I think it's like the ALIX 6 embedded router platform. They have like a mini PCI slot and then the mini PCI Express slot on it and they also have two SIM card slots on this router board. So that's another model for where they could have, you know, something like this device right here, but actually support a SIM card in it as well, that you could already have in the case, you know, just make sure you got the number somewhere on the, like the packaging or something, you know, when they check you out and they register, you're great. They take the sticker and you're going to go. And another thing that really bothered me was when we got these cards off eBay, the network wasn't authorized to all vendors and that seemed kind of weird. I mean, you guys, if you're in this to make money, let anybody that has compatible hardware use your network and they, they're offering this like captive portal thing and they're trying to charge people like $10 a day. That's outrageous. I mean, $10 a day and if people are actually going to pay for this, wouldn't it make more sense to just let them on the network so you can make some more money instead of picking and choosing favorite vendors of yours that just, to me, that doesn't seem like, you know, it's very open. They seem like they have really tried to restrict the network a lot. Yeah, hardware providers and service providers should not be able to do exclusivity contracts because, I mean, it's anti competitive and it hurts the customers. So, I mean, seems like a pretty obvious statement, but I guess a lot of people don't understand that. So, yeah, first thing on our future projects, we want an open firmware. That's it. I mean, we want an open firmware. I can't say on stage who I used to work for because I want to go back to working for them, but, yeah, there's really cool firmware out there. I've seen it. I've played with it. I know what it can do. Yeah, these people need to really open this firmware up. And I believe if they were to open and I don't want to say names, but if they were to open the firmware, it would force the service providers to actually get their shit together and make their shit secure because it would push them to the level that they would have to actually honor the specification. And I think that's where it needs to go. And our thing is, is Kismet plug-in. Yeah, we saw drag horn and kind of talked to him for a little bit. We really want to get this into Kismet. But then we started thinking, wait a minute, what do we call this? Like war driving, but it's everywhere in city. So what do we do? Just park our car, like war parking. I mean, I can't, we tried to like coin a new term here, and we just can't. I mean, it's everywhere. There's like, we thought war maxing, but still, I mean, it's not even fair, man. You just drive down the freeway anymore and you know, see APs just pop up on Kismet. It's just like one name. It's just one name and just several towers. I was thinking it would be good to do from an airplane. Flying over cities and see what's in. An air one would be USRP2s. We talked to a gentleman at tour camp about this and he seemed very interested in Ymax, but there's a lot of complex encoding that goes on with Ymax because they use several different types of air correction coding. So there's a lot to be implemented with the USRP2 to get this to work. But yeah, we all know what USRP2s are and if we could get that working with Ymax, then it would just, it'd be on like Donkey Kong. I mean, you could just have a field day. And now, a couple of things you may have noticed we didn't address in this were things like Man in the Middle. We didn't want to address that because of the fact that the service providers might get really, really upset because they're actually paying a license for this and if you go stepping on their toes like that, you could get in some serious trouble. So at this point, we're not encouraging it. We don't know how to do it. We haven't tried to do it. But I suspect if someone got the USRP2 working, then they would be able to just have at it. So and yeah, if you guys want to keep up to date on what we're doing, we started the Google groups and just groups.google.com forward slash group, forward slash Ymax-hacking. You can also just go to Google groups and just search for Ymax-hacking and you'll find it too. So yeah, is that, you have anything else you want to say? No, I don't think. Yeah, I think it's good. So, all right. That's it guys. Thanks. Any questions or anything? Oh, you want to see the portal page? I'll show you the portal page right now. If Clear lets me go to the portal page because I tested this like 30 minutes ago and this is an unprovisioned router and they just let me on the internet and I was like, God damn it, you guys are going to screw my demo. So let me actually check that real quick and see if they are on, they're giving me free internet at this point or not. Cool, there. All right, that's it. I didn't even have to try to do anything fancy. They just let me on the internet. So I was going to show you how to you know, use a VPN to get through this. You know, plug in the mobile device. Excuse me? Speed test? All right. I'll give you one of those. It's the EAPTLS authentication stuff like that. It's all, I mean, it's just TLS authentication. So yeah, you have a Awesome. Symmetric keys that lead to, or asymmetric keys that lead to symmetric keys. So, yeah. Bad Ethernet cable wasn't there all the way. So that was probably Google cache we were seeing. Thanks Google, caching everything. All right, let's go to, okay. So yeah, they're online. Yeah, we can show you the mobile device here in just a moment. You wanted that speed test though. I want to get that. So right now, they claim that they're offering about five to six megs down and like roughly 768k to one megabit up. But it really fluctuates based on your signal strength, usually about three bars, you're doing pretty good. Five bars, you're like, you're just rocking it. And so let's go ahead and, and another thing that Clear will tell you when you call them for tech support is the polarization like they tell you, oh yeah, go ahead and move your modem like 45 degrees and then move it 45 more degrees and keep doing this until like your bars signals go up. And that's because they use just single polarity antennas in here that are actually extra into the circuit board. They have like no extra antennas on here. So the antennas that are in here are pretty crappy. So that's about the speed test we get inside here in our room, try LA. All right, I'll do that. Yeah, when we went on the balcony of our room, we could get like four to five bars and it was, it was pretty decent here. They're having, obviously Vegas is like the new market we found out two weeks ago that Clear was going to be here by the time Def Con rolled around. So we're like, whoa. And as soon as we drove into town, we saw clear boards like on the side of the train on the billboard and we're like, okay, this is gonna be a good weekend. So you've been patient with me. So basically what he said is he's noticing two different like speed ranges like limited and like almost unlimited. And we've, like we said before, it's really spotty on this. I mean, this is unprovisioned. I went to Best Buy and I bought this and I plugged it in and it works. That's it. Okay. Like I can't make it any more simple for you. So anyone that wants like, you know, if you're in one of the, if you're in Portland, Baltimore, Atlanta or Vegas and you guys want to just have some fun with some Y-Max, it's in your town, you'll definitely see commercials. Clear is like a gorilla, marketing gorilla. I mean, they just, they push it and push it and push it. They'll go to like slash dot and advertise based on geo IP information. So the moment Clear becomes available in your area, you will most likely know it will end up in your face one way or another. Yeah. And it'll be awesome to post it on the group also, like if Clear does come to your area because a lot of the, a lot of the networks are deployed before they even, you know, advertise or tell anything about it. And so we can get ahold of some hardware and then, you know, it may someday just randomly become active. And so it'll be interesting to Okay. Was there any more questions? Did anyone so? Okay. We got a question back here. Can you speak up please? You're kind of back there. Yeah. Thank you for noting that. We want to give a huge thanks to dark tangent who made this possible. Our call for paper was denied and he was walking past me at tour camp with his briefcase and a little Tupperware brownies and the brownies fell in front of my feet and I grabbed them and said, turned around. I was like, you dropped your brownies. And he took off his glasses and I was just about to attack him to the ground and I'm like, dude, why did you not let this talk come in? Because this is like cutting-edge wireless stuff that's upcoming. And he told me that they had just had a talk that got canceled and he offered me the slot and I said, hell yeah, I'll take it. And that's how it came to be that we got on here. So it was kind of a last minute thing. That's why you don't have a presentation or anything from us on the CD is it was really, really last minute that everything had gone like the CD had already been out to go be burned and we barely made it on like the book by the skin of our teeth. Like Nikita, send me an email saying you have one hour to get like your abstract back to me before I got to approve the book to be printed. So we barely got in by like the skin of our teeth and again, like a huge thanks to DarkTangent for making this possible for us because yeah, this is my 10th year at DEF CON so this was like awesome to be able to come down here and do this. And the slide should be on the Google group also. So yeah, we're going to put the powerpoint slide and a little bit more information up on the Google groups. I got to go talk to someone from EF to find out what we can and cannot do because I don't want to get in trouble. So yeah, I think that's it. I know everyone wants to try to go to the closing ceremonies just so you know we'll be taking Q&A questions in 106 right out here after closing ceremonies. Until then, I know that the goons were telling us that basically everybody has to get out because they have to like rearrange the rooms or like the walls or whatever. So they're going to really open up the space for the closing ceremonies. So thank you everybody for coming and yeah, next time.