 Right, that's it, let the talks begin. Speaker number one, don't make it fast, make it real, AHP. Yeah, so a very quick talk on real time. So there are many terms related to real time systems and they often get mashed up in many talks I've heard here in discussions and so on, just a few quick starting points. So real time, in normal computing systems, you look for logical correctness. So if you add two and two and you get four, if you're not in an Orwellian country, then it's correct. In real time systems, this result also has to come at the specific point in time. And this is the temporal correctness. So the timing aspect is usually given through some kind of deadline. Just some defined relative or absolute point in time when the computation must be ready and the output exist. Often in real systems, this occurs periodically where usually the period is identical to the deadline. So every five milliseconds, you really need to have computed your next motor position, for example. There are characterizations of real time systems. One is soft real time, which you usually want for audio video systems or like some live ticker for your favorite sports game. There it's important that it is kind of soon enough after the event has happened, otherwise everybody else is cheering and you are missing out. On hard real time systems, think of robotics or actually any moving physical object, the motion usually has to halt at some point in time. And if it's too late, it will crash into something and crash, I don't mean restart it, but kind of remanufacture it. So some basics, some basic terminology. Resolution is the question, how fine of a distinction you can make. Precision and accuracy are two different aspects. So you can have a low precision and a low accuracy as you see in the top. You can have a low precision and a high accuracy as you see in the bottom. And of course, make the other two combinations. And the ideal of course is high precision and high accuracy, which is a typo in the slide on the bottom right. So this is now spatial, but in real time systems you have to transfer this visualization to the temporal domain. So you can have systems that have a really high temporal accuracy, but a low precision which may be acceptable or really bad. So speed. What I usually see when people say, oh, this is so fast, it will be real time capable is that they run their function in a loop a billion times and measure the average speed. But what we really have to look into is the worst case execution time, especially if you have some fancy non-deterministic algorithms, this becomes important. So on the plot on the bottom left, you see a couple million iterations of a function and the time it took to complete them. So the average is really good, but you have those three spikes, which are the worst case execution time or oops, the robot just crashed into the table. That's why if you think about functions or systems that are capable of real time, please do not only look at the average but make a histogram of all the run times and there you really don't want to have a large deviation as on the right side. So we are looking for determinism here. Networks, of course, at the Congress, I don't have to introduce the terminology here too much, bandwidth is just amount of data transferred to time, latency, the duration between the data has been sent and when it has received. Chitter is the variation of the latency and the cycle duration you always have once, you have a system that has to exchange data in repetitively. So an RS2 serial connection is really has a low bandwidth but also low latency and a very low chitter so it might be actually a good choice. You're usually TCP IP over ethernet switches is high bandwidth, has an okay latency, okay chitter depending on the utilization of the switch. Field bus systems that might rely on standard ethernet reduce the bandwidth but really make sure that your latency and your chitter stays in the specific amount. And I'm running out of time, obviously, which I knew but the slides are also for reference. The quote by Tannenbaum never underestimate the bandwidth of a station wagon full of tapes hurling down the highway. Yes, high bandwidth but really bad latency and bad chitter. So the same is true for our latest scheduling. Three, two, one. If you are interested in the slides, just send me a mail, I'll also put them on the wiki so this is meant as advertisement for a quick lookup slides for a real-time system. Thank you. Thank you. All right, we will continue with the next talk, avoiding singularities in robotics in four by three ratio. Okay, so thank you for being here. We're gonna talk about robots, so I assume you'll all more or less know something about them. There are basically three types of robots. We have parallel robots, serial robots and hybrid robots. You probably know these two, these few platforms. They're known as parallel. They have basically good payload to weight ratio so they can handle heaviest things. They're fast but they often have a small workspace relative to the size of the machine. The workspaces is also segmented to different works, smaller workspaces because of singularities. If you know the decks or type robots, you've probably seen it. There are many, many types of parallel robots, all most trying to avoid the singularities. We have some really strange architectures but there's always some limitations. We also have, wait, let's go here. Serial robots which you know, they have a larger workspace which is also segmented so motions are not possible if you go see this video but there's no, okay, maybe it's, I see what went wrong. All slight, sorry. So, they're quite slow and they cross singularities. So, also a big problem, we don't want singularities. So, that's a new type of robots which are, what's the thing? I don't see the light. Oh, here, okay. Yeah, with those type of robots, maybe you've known them, they're anthropomorphic. We use elastic elements in series with the actuators because they're highly synergistic and those elastic elements make structures really shaky and not appropriate for industrial use, for example, living heavy loads like cars and stuff like this. So, what do we do? We drop away parallelism, we drop away singularity, access alignments and we screw everything again. We base structure, we use a structure based on tetrahedrons and I have some accessories here. Yes, I made a model with marshmallows and yesterday it was too soft and now I'm afraid they break because they're dry. So, if you have a swing like this, it's not a very pretty swing, but it will work. Okay, that's a swing, it stays, now it's happy. If you put like this, it falls into singularity one way or the other. So, what we do is we take many swings like this and we have one triple swing which is falling into a singularity. Then we have a double helix, same like we're springing like this, no swing, which is also falling into a singularity but on the other side. And then you have a triple helix which is completed by doing the, with the passive elements. It's interesting because you can adjust the stiffness. You, instead of having singularities which you must cross and go around, the target and the current position become the singularity. So, the robot will travel to and from the target in a spiral fashion and... Five, four, three, two, one. Thank you for being here and I hope you like it. Thank you. The next talk is CNAPS. Also an F4 by 3D ratio. They stole the clicker. Do you still have the clicker? Wait, wait, wait. Actually, that's the last slide. All right, let's go. Good morning, beautiful people. So, I'm talking about CNAPS. It's basically blockchains, arts and people. So, a quick rundown. It's going to be a three-day festival in September in Leipzig, which are 12 concerts so far, eight workshops, two conference tracks, and you're wondering what blockchains and smart contracts are touted as one way to have fair compensation and creative labor. We can also see that the Congress where we had two blockchain lightning talks and the easy cash talk by Pesco yesterday, which I highly recommend. And the whole setup we're running is basically a fork of Lysius Elektronik from Toulouse. Okay, a few people know about it. So, why? We want to explore better payment methods in the future. Also, we want to have a real-world use case for experimentation and a use case that's not limited to ransomware payments, financial speculation, or drug trades. And also, since everyone sort of seems to like blockchains, we want to see it like let it shine or let it crash. So how? We currently have bold wallets which are tied on two first bands. There will be contracts between participants, which means there will be percentages hashed out like how much gets the artist per performance, how much gets the staff, et cetera, et cetera. And we're also integrating with the local economy. That means we have already talked to shops, et cetera, so we can not only pay at the festival, but also for stuff outside the festival. So, we want you, we want you as an artist to work with current technology. We want you as a hacker to play with block change on a larger scale, also with small contracts. We want you as a supporter, which means you contribute whatever you can, not only imaginary cash, but also hard cash. And also, as an attendee, just come, hang out, enjoy the festival. So, there's a really bare-bones website up. If you think you can make it better, come talk to me. There's an email, contact us via email. It's the best way to do. I'm sitting in the front, otherwise probably to be a DSD assembly. And that's it. Thank you very much. I told you it's fast. This is what happens when you promise a speaker a cookie if he's fast enough. I hope you have a cookie now. Where is it? All right. Next talk is Panopticom in a 16 to 9 ratio this time. Hello, everybody. Welcome to Five Minutes on Panopticom. What is it? It's the podcast social network that we all want to have. Who is listening into podcast already? Please show hands. I built this stuff for you to find new content and to share your experiences with the others. Who has not shown hands? I built that network for you as well to get into podcasting. So, how does it look like? It's a colorful website with lots of categories, with lots of assets. We have some features already. For example, currently we have 77 categories, 630 podcasts in and more than 50,000 episodes already listed. We have features for easy access to episodes you don't even have to use a podcatcher for it. You can listen with a web player, with a modern one in double speed, whatever you like. We have a responsive layout so you can experience it on your smartphone. We have full text search and you can see lots of more stuff. For example, you could recommend to other folks their chapters of episodes that you like in particular. If you are willing to subscribe, we have more features to you. For example, a feature listeners of the podcast you listen to also listen to these following podcasts. Again, displayed in a very simple, accessible way, just clicking and two more clicks would bring you in the first episode and you can listen to the podcasts immediately. What's the roadmap? Public Alpha is out already since October. We switched now to Public Beta so we are really invited to use that stuff, test it out. Let's see if it can hold your load and we will go live in summer next year. What are future features? There will be messaging between users and podcasters. Community-driven categories have just been established. There will be audio comments. There will be a public API, UI improvements and lots more stuff to come. You could send in wishes as a podcast listener. Obviously, we are interested in feedback. You could file feature requests if you are maybe already a podcaster yourself or you could even contribute as a developer. We are a completely open team. If you are an inter-functional programming, we are using Elixir and Phoenix. And yeah, just join in the team. We are an international, quite small yet, but an open team. Yeah, how can you find me? Just go to the website. It's Panoptikum.io. You find all the details and concepts there or if you are interested into podcasting, just come down to the podcasting mentee table, which is right behind Send-It-Centrum and the ground floor. Yeah, that's my talk. Thanks very much for your attention and get into podcasting. Thank you. We didn't promise him anything. So the next talk is going to be in a four-by-three ratio. The other side of the incest for board. Hey, I'm going to talk very fast. So listen up. I'm... What's it? Okay. I'm Louis Fabou, the other secretary of the tinkering to come. As you may or may not know, the tinkering to come is a movement interesting in the gathering and use of pieces of and for the tinkering. We tinkers are using all kinds of wonderful things, not just technological, but further most cultural artifacts and practices in other ways that were forecast by their engineers. And as such, we feel quite welcome here among hackers because one could say you tinker too. Today, I want to talk to you about tinkering with your personal relations to maximize your degree of freedom when you're walking away from this gathering and out into the wilderness out there that is called civilization. So this is a photo of eight month old me already looking quite fabulous. Notice the sense of wonder on my face and the already quite dedicated hand posture. The point of this picture is that the difference between me then and now is that I was alone. Alone in the sense that I didn't have any peers. Alone in the way that many of you here can understand. It is because of the dwindling birth rates in the West, people tend to have less siblings. I, for one, gained a brother about 16 months later and it improved everything in my life dramatically. But let me explain. Siblings are not only wonderful people, the sibling relation is ruled by deeply embedded cultural principles and is something almost everyone has an understanding of. Basically you get thrown together with another random person with the same mother of roughly the same young age and then you're allowed to get to know them as deeply as very few other humans. You will go with them through important events of yours and their lives, the good ones and the very, very bad ones. Unconditional love and solidarity will be expected of and societally enforced in siblings even if they seem at times to be very evil creatures and much more important, your desire to not be alone in the aforementioned wideness will make you stick like glue to them. In most cases, in most cases, it will work until death lets you stand at their graves or vice versa and most of the times, I spoke to many siblings old and young, it will have been more than okay. But there's power in the world and power ruled supreme at least for now. So this is a photo of the French intellectual and ethnologist Claude Livestros. He first described what we now call tinkering academically. In his book, The Raw and the Cooked, he wrote about, we're getting there, the origin of the incest verbote and characterized two parts. The ban of endogamy, meaning sexual romantic relationships between siblings and the bid for exogamy, meaning the expectation of society for you to look out to form such relationships with the ones you are not related to as your top priority in life. Other way to say it would be incest is what you call a taboo. You shall not have siblings that are not related to you by law or blood. And on the other hand, you shall not form monogamous romantic relationships, shall form monogamous romantic relationships wherever you can. This is obviously what you call a naturalistic principle. We of the tinkering call it an ideology of romantic love. This is a picture of Jacques Derrida. In his book, Politics of Friendship, he asked two questions. Why we limit relationships to blood or juridical relation and why we limit our ideals like liberty, equality, fraternity with gender norms or the patriarchy. He proposes to form relationships more creatively and free the ones we tied to power by excuses like biology or the law. In other words, why not have unrelated siblings if this is already a well-established and good kind of relationship that you could wish to have with people. To conclude, we who are of the tinkering propose to neglect biology and the law and to form relationships of love and solidarity by embracing the other side of the ban. Because what remains is you can make every other year sibling by consensually subscribing to the taboo, the ban and the bit. Artificial limits make art. Lastly, I have to disclaim, through our times, good luck, a few leaps of faith and of course, consent, I acquired a system myself a few years ago and we defend this relationship ever since. She's an other, unrelated and maybe younger than me but she's my older one. And it was the best thing in a long time that happened to me and it was, as I explained, tinkering, which is the greatest thing in the world and you won't get a picture of her because you would hate that. Thanks a lot. Thank you. Next up is version, thanks. Next up is version control for writing musical notes and it's in four by three ratio. How does this work? I never had such a thing in my hand. Just press the right button. Oh, yeah, okay, good. So I don't have a product, I have a question which is how to use version control for writing music for writing music and I mean by that for composing, not for engraving music because for that you can obviously use the leap on. Once you have done anything with version control you also want it from composing because composing is actually a lot like coding. You try out things, you do test some things you like, some things you don't like. You want to get back to your earlier versions so you totally want it because everything else feels like Stone Age. Yes, and when composers who think in musical score as opposed to composers who use loops or graphic notation or other things, they think in musical score when they compose I haven't met one who writes lily pond code. They really want to write notes so you want to use a visivic editor. The best I could found so far was to export, so I use Muscore to export Muscore on a SVG file and there's an SVG diff viewer and GitHub which could be like, this would be the closest to a solution that I found so far but there's a problem and this is that musical score is a justified print so all lines are the same white and if you change something in a line it changes the whole line and it's likely to change the whole piece visually. So there's an example. If you look at example number one and two in the upper line like in a treble clef it's the same notes but you have to compare them one by one so if you would use this in a diff viewer for SVG files it would not be of any use. So my question is how can one signify what has changed? Does anyone have an idea how to show a diff on musical score that works with a visivic editor? That would be great and if you have an idea please talk to me. So GSM is 2318 or Benjamin Wand on Twitter. Thank you. Thank you. We still have plenty of time so maybe if someone in the audience has a hint for you right now anyone please stand up? Then we will just continue with the next talk which is financial surveillance versus responsible journalism also in four by three. Hi, my name's Tom. I'm a data journalist at a newspaper in the UK and data journalism can mean lots of different things but for me it's not about visualizing data and making interactives it's about doing investigations and finding stuff out using data and I'd like to tell you a bit about something that I've investigated recently and a little bit about how I did it and what I found out and it's about financial surveillance and in particular it's part of this financial surveillance system that's evolved since 9-11 in which banks are told you must not provide services to terrorists that's quite self-explanatory there's also been a push to tell banks you must keep an eye on politicians who are using your services in case they try to launder corrupt funds and if you do that it's your fault. So in order to allow banks to fulfill these obligations there's this database called World Check which is compiled by Thomson Royces they use open sources such as sanctions lists reports in newspapers to compile listings about people. I'm not the first person to have investigated this database there was a story by the BBC about a mosque in London which had found its bank account had been closed inexplicably and they noticed that they had a listing on this database which had connected the mosque to terrorism incorrectly. Then earlier this year Vice News did an investigation into the sourcing of this database which found some problems so I'm going to have to speed up. Over the summer some security researchers in the US, Chris Vickery, a Mac Keeper found a copy of the database on an exposed internet site with no authentication whatsoever. So I thought it might be interesting to take a look to see if we can find out more about the problems with the database that have been reported on. So before I did that I said why do I want to look at the data? I've mentioned that. Is it ethical? There's information in the system about individuals it's personal information but we are trying to serve the public interest and establish problems with the database. Is it legal? You might think that because the information is public it's fine to just look at it. That's not true. The Data Protection Act still applies to already public information so we had to establish that there was a public interest in doing this. I wrote a Python script to load the data. It was a four gigabyte line-based JSON file and I kind of flattened that and stuck it into Postgres so that I could query it. Then I did things like select all the entries where the biography contains the word activist because we would not want activists generally to be in this database of terrorists and senior politicians. I also needed to see exactly what the database looked like to banks that were using it. So I went to Google and did a file type PDF search and I found actually a printout from WorldCheck that somebody had stuck on a public web page. And then I also thought I noticed an entry where all of the entries list the web pages that they've used to compile the information. And I noticed one of those was a weird conspiracy theory website. So I went and found a list of conspiracy theory websites loaded it into my Postgres database and did a join to see if there were any other conspiracy theory sites mentioned and there were. Finally, I needed to confirm which banks use this. They say in their marketing material that 49 of 50 of the world's biggest banks use WorldCheck. And I wanted to make this relevant for my UK audience and confirm which UK banks were doing this. If you ask any of the banks, they won't tell you anything about this. So I went to LinkedIn and search for WorldCheck site LinkedIn.com. And people gave quite a lot of information about how they do their jobs on LinkedIn. So this guy has mentioned that he uses WorldCheck while he was working for Barclays. And then this is how we told the story. We focused on some specific examples like this nine month old baby who was the child of a minor member of the royal family was included on the database as a politically exposed person because they could be a money launderer. That's pretty much my time up. If you'd like to read the story, please drop me an email. If there's any other data you think I should look at, please also email me or give me a call this afternoon and we can talk. Thank you very much. Thank you. Next up is make politics fun again, austerity map and four by three ratio. Many of you potentially have had the situation. You talk about politics and then there comes this reaction. Come on, let's talk about something else. It's boring. Yeah, I know there's Trump, but how does it affect me? And an easy slogan would be to say, make politics fun again. So why should politics be boring if it affects our everyday life? Now, I think the problem here is that if you don't wanna be a populist and claim easy solutions for complex problems, you easily get into the territory that you have a lot of statistics. You can talk about income inequality, social inequality and all that stuff, which is very important because it affects millions of people, but you can't really relate to a statistic. So there was a nice talk on the first day here about data visualization and 1,000 refugees dying in the Mediterranean pretty much does nothing, but one person with a picture dying generates lots of donations. So how can we turn the topic of income inequality or more specifically austerity, which may be more commonly known as the devotion to the black zero with Schäuble as the grand cleric. How can we turn this into something where people can easily understand the topic and relate to it? And I think there we come to a potential solution, a map. So one could use open street map data, for example, as a backdrop starting with universities and then gather data about specific consequences of austerity like overcrowded classrooms because you don't have enough money for professors and so on or crumbling infrastructure. I think there are lots of examples out there or if you wanna expand the scope, you could look at public baths that are closed or libraries, museums, theaters, and the list goes on. So there's a lot of data which could be gathered and presented on a map. And then if you look at it and have a red dot, for example, for every specific issue that follows out of austerity, it all of a sudden becomes visible. You can look on it on a German scale, for example, or Europe, depending on how many people would participate and how many people would do this project. And then you can see, yeah, there are lots and lots of specific things happening. So it's not anymore some abstract academic problem, it's some specific problem that you can relate to. And I think that could potentially also change the political discussion, especially depending on how good this could be realized for the 2017 elections. If you have the ability for progressive parties, for progressive politics to really make arguments on a relatable emotional level that is not populistic. So if you have more questions, which I can't go into here because of the time and the length of this thing, feel free to contact me on Twitter at two Martins or write an email to austerity at two Martins and because there's a little bit of time left. I just want to say after all the events in this year, you may all live long and prosper and if you're eligible to vote, go vote in the next year. Thank you. Next up is Panopticon in four by three. It's a four by three day today, I think. Okay. Hello everybody, my name is Kai and I'm today here to tell you about a little open source project I do, which is called Panopticon, which is an Libre cross-platform graphical disassembler. And it's meant to be a replacement for commercial applications like Ida Pro, Hopper, Bindiff and Deluxe. So this is what it looks like. You can open binary. It will start disassembling and give you a list of functions. You can click on one of the functions and it will display the control flow graph. You can pan around and control flow graph, zoom it, add comments and explore the application. Currently it supports inter-intellecture architecture, both the 32 and the 64 bit variant. It also includes most of the SIMD instruction architecture. So you can disassemble the crazy mem copy, highly optimized versions that are in the G-Lib C. It also supports the two 8-bit architectures, the AVR and the MOS 6502, so you can analyze your C64 applications. Currently it only supports L-files and a PE loader is currently being developed. What Panopticon wants to do better than most of the tools we have now is to make a bit more static analysis accessible for people who don't have PhDs in computer science. So most of the tools we use now do not know much about the semantics of the opcodes. So they know what they look like, but they don't know what they do. What Panopticon does is when it disassembles and mnemonic, it also emits a short snippet of code in an easy to analyze language called RAIL, this R-R-E-I-L. This language can be used to analyze the operations that are done in the application. So you can do something like track data flow throughout the application. Panopticon, for example, can figure out when a function kills a register or reads it. Also, when you have a rather complete implementation of this, you can also do more advanced static analysis like model checking or execute parts of the program using intervals, for example. So you can fix a certain register to an interval, say from zero to one million, and Panopticon will give you all the other intervals that are possible when the application executes. Everything is written in Rust. It's around 25,000 lines of code. The front end is done with Qt and written in a language called QML, which is essentially JavaScript. This allows us to make Panopticon look more or less the same on all operating systems it supports. So, this is the website. In case you want to help me or just check it out, you can go there. There's also a link to the GitHub repository. We have an open development model. You can use the Asian Tracker, you can send me a patch and I will try to merge everything. Thank you. Thank you. Next up is LibreSolar in 16 to nine ratio. Yeah, hello, everybody. I want to introduce a project called LibreSolar which aims at developing open source renewable energy hardware which can be combined into a system and then used for different applications. Oh, I'm sorry. That's the old version of the talk and I sent you a new one. It says here modified yesterday. Okay. Yeah, I mean, we still have time. We have lots of time actually. We have six minutes. I have six minutes to check my mail now. I can go slowly with this. Let me just start up all this tunneling stuff and so on. Yeah, yeah, let's always use the Japanese melody. That's nice. So, I hope we're not getting sued for that. Solar. LibreSolar. Martin Geiger. Okay, you sent a new URL. Yeah, it's the same URL. Okay, yeah, yeah. I'm very sorry for this. No problem. Actually, this never happened to me before that something gets messed up during the lightning talks. Okay. Let's see. So, I have some other slides here. Maybe these are the correct ones. I'm sorry for interrupting this. Correct ones and a bit less slides. So, I hope to be in time at the end. We can reset the time. Would you like to start again? No, it's okay. It's fine. So, yeah, the applications for the components are listed here. So, either off-grid energy supplies. So, if you're living in a caravan, you could use the system or in a boat. Then it could be used in festivals and other events or also for rural electrification, although until now the components are a bit too expensive, probably. Yeah, and also for disaster areas like floods and so on to get a stable, easy to use energy supply. Then, of course, grid connection could also be used. So, you could extend your normal AC grid for self-consumption and use a battery in the system. And then, yeah, feed the excess energy into the grid. Most important features are it should be easy to use. So, also plug and play for my mom, yeah, and without any advanced configuration. Then, with the use of a communication interface, you can put advanced features into the system. It should be safe. So, a voltage below 60 volts is planned and it should be reliable. So, how could the system look like? This is the most obvious approach. So, you take a battery and then put some different components to the battery bus. So, it could be a 12-volt, lead-acid battery or also lithium-ion battery. But the disadvantage of this system approach is that the voltage of the battery defines the entire bus voltage. So, each component would have to know what the voltage set points of the battery are. So, if you introduce a second DC-DC converter between the battery and the DC bus, then you are able to set the voltage independent of the batteries and then you are also able to introduce more batteries and enhance the reliability. With this approach, you can use the bus voltage to have a very basic mean of communication like in the normal AC grid, you have the frequency and the voltage and here you could use only the voltage to communicate if there is more renewable energy in the system or if you should be careful with using energy because it's low in energy. So, high voltage would mean you have a lot of excess energy and low voltage means you are almost switching on the diesel generator in case of an off-grid system. So, with this approach, you can also prioritize a load, which is seen on the right. So, if you have a set point where the loads are switched off, that would be this location, then a load with high priority would be switched off later than a load with lower priority. Yeah, and also for a diesel generator, you would switch it on as soon as you reach a very low voltage and if you have really much excess energy, you could even use it for heating. So, for this system, of course, we need some components and the start is now a 20 amp DC-DC converter, which is normally used as MPPT, solar charge controller. MPPT means you can track the maximum power point of the solar panel. The previous version was 12 amps, but now with the 20 amps version, you can use one large, cheap rooftop panel and attach it to a 12-volt battery. Yeah, the new revision is shown below and it will look like this. So, yeah, with a nice housing as well. It's based on ARM CPUs, which are maybe a bit overkill, but this enables you to have sophisticated communication measures. Now, we are planning to use the CAN communication protocol with the CAN open stack on it and this needs a bit of processor power, so the initially planned AVR microcontrollers were not sufficient. Yeah, you can extend the boards with a flexible connector and put your own displays, have other ADC channels and other digital end outputs. Then there's also a battery management system for up to 15 cells in series, which handles all the balancing and protection stuff of the lithium-ion battery, also based on an ARM microcontroller. The board looks like this. Yeah, and now I'm almost done with the talk, so if you are willing to collaborate, visit our GitHub repository or directly contact me. As open hardware development is a bit more difficult than software development because you need some hardware to test it, then we could potentially order some more PCBs together and work on the system. Okay, thanks. Thank you. And again, my apologies for not having the slides ready. This is really, I'm really sorry. So, let me just get it up again. The next talk and the last one before the break is JavaScript story or JavaScript or whatever you want to pronounce it. Hey, so I like to sometimes do this. Open the browser, you know, you're just sitting there at your computer, have nothing better to do, you think, okay, let's open the browser, let's browse the web. And so you go to this really cool web page, like you'd be typing, typing, typing, and then you type the other C% when you get a blank page. So what the hell? I mean, why can't we at least have this? Seriously, how hard was that? How hard was it to do it? Well, it was exactly this easy. So web devs here in the room and friends of web devs, please learn this, please, please, please. Thank you. Thank you. Let's start with the last part of the last session of the Lightning Talks on the last day of Congress. The first talk is going to be WhatsApp vulnerability in 16 to nine ratio. Hello, everybody, my name is Tobias Bertha and I want to quickly share a flaw that I found in the WhatsApp. And you might also want to call it backdoor because it efficiently allows WhatsApp to intercept targeted messages and they haven't fixed it since April. So yeah, the WhatsApp is used by one billion users all around the world. So six out of seven people do not use WhatsApp. They were one of the messengers that early on had an effort to implement end-to-end encryption, fortunately, and they completed this effort in April, 2016. They implement the signal protocol which is pretty much state-of-the-art when it comes to cryptography and it's known from the signal messenger which was previously known as TechSecure. So let's quickly look at the flaw. So Alison Bob wants to communicate, therefore Bob uploads his blue public key to the WhatsApp server, Alice downloads this key, and if they do not want to only do opportunistic encryption but really do end-to-end encryption, they would meet in person and verify their fingerprints of the public key. So now when Alison sends a message to Bob, she would encrypt it with this blue public key, here highlighted as a blue text. But now when the WhatsApp server immediately after that announces a new public key for Bob to Alice's client, let's say the green public key which actually belongs to WhatsApp, for example, then the Alice's client would automatically re-encrypt the message with the new public key and retransmit it to the WhatsApp server, effectively allowing WhatsApp to read the message. Only after that has happened, a warning is displayed on Alice's client. And if there are any Android experts in the audience, then you could maybe also check what happens if after step six, the WhatsApp server would announce the blue key again to the client. If the message then would even be displayed, I don't know, you can maybe check that out. Anyways, the server can always just forward the old message to Bob's phone and then Bob wouldn't even notice that anything has happened. Here are a few screenshots that demonstrate this flaw. Of course, you can see the timeline on the slide, so that's a little bit weird, but yeah, it works. I very felt it two days ago again. Signal on the other hand is doing it right. They displayed a warning and they also retransmit, they never retransmit the message again. And there's absolutely no reason to automatically retransmit the message, not even from a usability perspective. Yeah, so I disclosed this flaw to Facebook, which owns WhatsApp in April. They said this is expected behavior. I said this shouldn't be expected behavior. And then they acknowledged the flaw, but they are not working on changing it. Yeah, and two days ago it was still not fixed. There are a few more reasons to use Signal instead of WhatsApp. Signal is open source and with their efforts to introduce reproducible builds, you can convince yourself more of the fact that there is no backdoor in the Signal implementation. And also WhatsApp may store more metadata than what Signal does, according to their privacy policy. Yeah, that was my talk, thank you very much. Thank you. Next up is Libre PCB, also 1629. And welcome, we want to introduce Libre PCB. It's in development PCB software, it's free software. It's not mainly developed by us too, but we're helping a bit. So, hi Urban in the stream. About the software, it's a free open source electronic design automation tool. So you can create a PCB, you can create schematics. It's multi-platform, it's written in C++ with Qt. It started in 2013, so it's already a few years old, the project. You can find the website there and we're also on GitHub. So now the question, why do we need a new PCB tool? Most EDA tools are only available on Windows. They are mostly costly, if you use it for commercial use. And if you gather a hobby license, you have limitations, you have the schematic can only have one sheet or the pads or wires are restricted. Also, most free EDA tools are old fashioned and not very intuitive. Most commercial EDA tools use proprietary binary formats which are not really good for version control. And some of them even force you to use cloud storage. Also, the library system which used to handle the parts are un-flexible and hard to use. So, Libre PCB focused on the following features. It should be available for everyone, so it's free and open source software and multi-platform. It has a modern user interface and you have automatic forward and backward annotations between the schematics and your PCB board. Also, the file format it uses is human readable, so it's well suited for version control. The main focus for Libre PCBs on the library system, it should be easy to reuse parts of your library, you reuse parts that others have created and so on. Also, it uses UIIDs, so you can't have name clashes and it uses tagging or categorization for all its library elements. And it is prepared to integrate spice models and 3D models. Yeah, so here you can see a screenshot of the application. The idea is that it's all in one application, so it's not a collection of different tools that need to talk to each other, but it's like one integrated application that should make it easy to go back and forth between schematics and footprints, layouts, parts, editing, et cetera. The schematic editor is this one. So as you can see on the right, you have automatically ERC checking live. So if you add a new part, it's being checked while it's being added. Thank you. And you can also see the components which are categorized into different categories and yeah, if I remember correctly, parts can be in multiple categories which makes it convenient to find them. Here you can see the board editor. It's not really finished yet, but like the basics work already. Yeah, it's what you know from most PCB tools. And now for library management again. The library manager is quite cool already. It allows you to download libraries from GitHub. It just downloads a zip file currently. So the plan is that you could just download from user contributor content. And also if you make a fix, you could directly create like a pull request from the application if you fix a part. So yeah, the project is still undone. So contributors are wanted. So just fork the repo and commit. Thanks. Thank you. So the next talk is Rust in five minutes. Okay. Please go ahead. So yeah, after your PCB, I want to give you an introduction to Rust. First of all is Rust. Rust is a systems program language that runs blazingly fast and prevents nearly all Z fault and guarantees threat safety. This is how Rust describes itself. So it has, it advertises with the following features, zero cost abstractions, move semantics, guaranteed memory safety, threats without data raises, trade based, trade based generics, pattern matching, type inference, there's just a minimal round time without garbage collection and efficiency bindings. So this is just a description to give that you can read on rustlang.org. So if you talk about safety, we talk mostly about memory safety and type safety. And in classically, you have C and C++, which give you a lot of control, but not very much safety. And the other side, you have Python, Ruby, Java, C sharp, which give you more safety, but less control. So the question is, why can't we have both? And Rust gives you more control and more safety or it tries to do. So it's come to say fast, safe, concurrent, pick three, that's the motto of Rust. Also, if you say it's a system programming language, we mean that it's fine-grained control over memory resources, it's close to the metal, and it's actually possible to write an operating system with it. To the right is C, Redox. It's a operating system completely written in Rust. It's quite cool. Check it out. If you say it's placing in fast, we mean it's a compiled language. It uses LLVM for optimizations. So you get optimizations from the whole Clang tool suite. And it features zero cost abstractions. That's a concept from C++. That means if you use high-level abstraction, it should compile down to the code that you can't make any faster if you would do it by yourself. Yeah, and it also focused on safety. To the right, you see the average C++ programmer like me. I mean, with C, it's easy to shoot you in the foot. With C++, it's less painful because it aims directly to your head. And... Yeah, the Rust guarantees you that you have no null pointers, no dangling pointers, and no data races. It uses a unique concept, a new concept of ownership and borrowing. That means every resource has just one owner. The owner is responsible for acquiring the resource and releasing it. So variables are always moved to new locations. But they can be borrowed if you just need it temporarily. But you can either have unique access with invitation or many immutable borrows. And this is all enforced at compile time, which is quite unique and awesome. So Rust comes with CoroGa, awesome package manager. It just fetches your dependencies. It's like NPM or PIP or something, just learned a lot from the past. So the crates are immutable, so you have no left pad-like disasters. The community in Rust is also very friendly and welcoming, so you can just go to IRC, ask questions, and everybody's happy to help. And also the language is actually developed in the open, so you have this request for comments on GitHub, where you discuss language features. And it's also very easy to get engaged. Yeah, Rust is used in the wild by Mozilla. Mozilla is backing up the language and uses it for server, their next generation parallel browser. Also Dropbox is using it. There's an interesting blog post, how they use it. Madesafe uses it, and the parity is in Serium Client written in Rust. So it's already used. If we have time, yeah, we have some more time. This is how Rust looks. So functions are annotated with FM, then Rust is immutable by default, so if you want to change something, you have to mark it as mutable. For loops, you have quite high level abstractions. You can just iterate over all the charts in the string we have here, then use match to match for them, and then, yeah. So, so much for Rust. Thank you. Thank you. Next up is Tindering Islam. There you are, all right. I think this is four by three. I think, I don't know. This looks weird, no problem. Okay. Please stay as close to the mic as possible. Okay, hi everybody, thanks for being here. I'm Yasser. In 2017, we're gonna celebrate the 500 anniversary of Martin Luther reformation of the Christian religion, and today we're gonna form Islam. So, we know each religion has a God, and the new information for you might be that each God has a router. This router transfers the divine knowledge from the hard drive by God, and distributes this through the ether in the universe. But not everybody can receive that. Actually, you need special people called prophets who would actually receive this information somehow and then distribute it to everybody. So, as we, these prophets were actually the mobile phones. Just like the router, when you put it in your home, it distributes the signal everywhere, and then you should look for the right frequency or right place to receive this signal. And some people other than prophets are trying to do this by doing circles until they reach the right frequency, so where they get connected to this divine channel and then get the information. And this is a widely used religious ritual. So, let's talk about the secret recept of Islam. It consists of the Holy Grail, the Quran, and then Hadith, what the prophet said in his life, and the four famous interpretations, which everybody can cherry pick or deny or just put in the drawer. So, we're gonna ignore the last two and just go for the Holy Grail. It says if you fear that you will not deal justly with the orphan girls, then marry those that please you, a woman, two, three, or four. So, many people would say, yeah, I don't like it. It's not like what I believe, but I can put it on the side. It's interpreted in another way, and everybody has a different argument for this. So, that's why I'm introducing today Tindering Islam. I think you're all familiar with both concepts, Tinder and Islam. So, we're gonna create an app that would show you, instead of people and shallow pictures, would show you what you want to cherry pick and put in your pocket and leave the rest. So, it's a pretty simple procedure. The app looks like this. You will have the verse. Okay, so for the time now, you either say yes or no. And the database is consistent of Excel or XML or other database formats, where the server actually can manipulate the data and collected and analyze it. So, this is how it works. You have an XML sheet of the Quran that has 6,000 lines and a server application that creates user accounts and then saves your progress over time when you are playing. And then should always ask you the question, do you want to keep this verse or delete it? And then at the end, you will have a layout. So, I hope you can read it. You have a template layout, just like an Arabic book with some ornaments and so on. And then you can export it as PDF and write your name on it and publish it to everybody. So, thank you, no time. So, basically, this is a small idea. It's been going around for one and a half years now. And it's a message for everybody, not only believers, but also non-believers to create their own version of the religion and stop saying this doesn't belong to Islam and this belongs, so just put it out to the world what you really want. And then we can actually, for the IT people, we can collect data and make statistics and see which are the verses who are liked, mostly liked these days and which are not. And then we can know for an idea what's going on in the Islamic world. And the last thing is that I would like to break the holy book for fake preservation aura. So, everybody says this book is holy and should not change. No, it should change. And everybody could actually issue their own version of this. So, thank you. I would like to call the IT people to contact me please. Maybe you say, like, in one hour we're done with the app and we can publish it today or just we can publish it later next week. I think. Thank you so much. Thank you. Next up is Orwell's Law. Orwell's Law comes in four by three. Okay, so, hi everyone again. I am Zlo and I came here to talk to you about the law which we call Orwell's Law. But first, who are we? We are DBIS and it's not database as a service. It actually stands in check for digital security and privacy. And the main idea is that we want both and we all think that this is achievable to have security and privacy at the same time. We are a newly formed initiative and the reason we formed is because the current situation in Czech Republic is changing and it's changing in a direction that we don't want. A few months ago a censorship law has passed which gives our finance ministry the ability to censor the internet. Basically they say which websites or URL shouldn't exist and Czech ISPs are forced to somehow magically make them disappear even though it's technically not really possible but that doesn't mean that it's not in the law. And currently the law enforcement agencies need court orders to spy on people and that is something that is about to change. And also the secret services are somewhat restrained but not really, it's like a gray area. So what is changing now is everybody wants to defend the cyber. Even NATO said that cyber is the fifth warfare domain. So they brought this new amendment to the secret service law that basically says every ISP has to implement the black box and it's not really concrete. Like they just can't put anything inside. It could be an interception box. It could be a net flow stuff or it could be anything else. Like it's not really concrete in any point. And the thing is that they're not even ashamed that GCHQ helped them to draft this amendment which is really varying for us. We also know that it's not really a possibility to just scrap this law and not have it. We understand that the state needs to somehow defend the cyber but at the same time we want to do it in a way that keeps the privacy of the most people possible. So they also introduced gig orders in the new amendment which are huge. It's not huge in like the European huge but in Czech huge so it's a few million euros for every leak of the gig order and it also applies to all of the employees of the companies. So there's also a lot of shady stuff behind this. Like the people who proposed this are morally questionable to say the least. Like they did some weird stuff. Also they want to give this power to the Army Secret Service which was abused two years ago by a lady which is now married to our old prime minister. So it's like a really weird. She wasn't even, she shouldn't be even able to contact the Secret Service but somehow she forced them to spy on his ex-wife. So it's like really convoluted and weird. Also the minister who introduced the bill is openly lying in the TV and radios about the new amendment or he doesn't know what actually, what the law actually does and I'm not sure which one is worse. And one of the worst things is that there's no oversight. Like there's not nothing, once the bill is passed there's nothing else that people or the companies can do because they have no way to challenge the black boxes. They're currently saying that they only want to monitor people like the cameras at the highways which like take pictures of everybody and only those who break the rules are then brought to justice. But in reality the law says that it's, what the law says is much broader. So why am I telling you this? Is that I would like for you to go to one of those web pages and sign the petition for us. If you are from Czech Republic please inform other people about this or maybe in neighboring countries as well. And if you are from, if you are a reporter please write an article about this. So that's all I wanted to say. Thanks. Thank you. Thank you. Next up is LFL. But you're probably going to pronounce it the correct way. It's a four by three ratio. I will briefly present you a new generation of LFL cameras. So it's open hardware and free software cameras or configurable cameras. So the new generation, the new camera series are powered by Xilinx Zinc SOC. Sorry, thank you. Which is a high performance FPGA with dual arm CPU and a huge set of peripherals. The camera is running GNU Linux operating system but the image compression is done in FPGA and is implemented under GNU GPL license. The camera provides up to one gigapixel per second video compressor. And anyone is free to modify any camera components, parameters, software, port software do FPGA, implement FPGA real time video processing, et cetera. Or even develop new sensors. This is the new camera's PCB design. The previous design is in production for already seven years. Also thanks to the FPGA flexibility, it was upgraded and extended several times during seven years. We had, for example, free revision of different sensors with this camera. The new one is using this Xilinx FPGA with dual arm CPU, one gigabyte of system memory and zero five gigabyte of additional video compression memory. The system board can handle up to four individual sensors or with multiplexer board even be extended to up to 16 sensor per camera. So the main class of application for these cameras is multi-sensor cameras. You can play with all different camera models on our wiki. We have these X-free dom models that are automatically generated from step files we use for production. So you can virtually disassemble and reassemble all camera components on the wiki. And if you click on particular components, you can see the wiki page for this component. And of course there are PCB layouts and everything on the wiki. So for licensing, we provide all our source code under GPL v3 license including FPGA code. The documentation is under GNU documentation, free documentation license, sorry, and the hardware and mechanical components and designs are released under a CERN open hardware license. So it's a hackable camera. It can handle up to four sensor with just one motherboard or up to 16 with multiplexers. And you can hack the different components like the firmware, port new software on Linux, do some FPGA design, real-time image processing in FPGA, new electronic components, new sensor board or extension boards. And of course change the physical layout of the camera case. Like 3D printing your camera. We provide a combination of aluminum fixed structure for holding lens and sensor boards. And you can 3D print your own camera arrangement like stereo camera or panoramic camera or whatever. Why multi-sensor? The simple answer would be because we can. And you can, using multiple small sensors, you can have many interesting applications like panoramic imagery or even cinematographic, sorry, I skipped the calibration. You can see about the calibration on our blog. And you can have applications like this. For example, it's a cinematographic camera with dynamic depth of field in post-production. And you can apply for a sponsored camera. Please feel our wiki and contact me. Thank you. Thanks. Just a time. Next up is jail breaking governmental data. PDF becomes RDF in 16 to nine ratio. Hello all. I hope you had a nice Congress so far and washed your hands often enough. Also, thank you to the team that managed to get the wiki up and running during the Congress this year. Thanks a lot. How many of you have heard the term RDF before? Nice. And how many have heard the term link data before? Almost the same, a little bit fewer maybe. Okay. So, what am I about? Public services and public administrations have started to publish lots of their data more and more, but they like PDFs very much. Maybe because they resemble the printed paper better than anything else. And so there is lots of data buried in PDFs, which is hard to pull out. The administrations are not hesitant to publish. They cooperate with OpenStreetMap, for example, the Bavarian OpenData initiative is five years or six years old already and they collaborate with OpenStreetMap and they use licenses very similar or equal to Creative Commons licenses. So things are very much improving there, but they still publish many of their stuff in PDFs. So I took the example of the Bavarian list of historic monuments, which is probably not the most interesting, but it is a simple case. And I wanted to see if it's feasible and turn them to RDFs, which is a very well linkable and typical for use in OpenData scenarios data format. So this is what the initial PDFs look like. This is a DIN A4 page, the top of it. And they can be up to several dozens or even hundreds of pages per municipality. For example, Munich has, I don't know, 150 pages of it. There is other areas in Bavaria, which are much smaller. And it's a very simple list. So I start and, well, let's skip that one and just grab all the PDFs I can get from all municipalities on a daily basis. Then I run a converter over it from the popular free desktop project that turns it into a simple XML, which is very close to the PDF still. Then I consolidate this XML and pull out the actual content and throw away the page numbers and stuff. And turn it to TTL, which is a W3C data format. And this in turn, this last step is done with a custom software, I did right in go because it goes launches quickly and has a nice standard library, including XML deserialization, which came in quite handy. And finally, I turn it to RDF with a custom, the so-called Swiss knife for RDF or for the semantic web data formats with the wrapper. So this is what the first step of conversion looks like. This is, well, typical XML garbage. Then the next step is a text format. That's the turtle or TTL format, which is then semantically meaningful but not easy consumed in the browser, for example. Then the next step is XML, RDF, which gets a style sheet clause in the beginning and is very easily viewable on the browser with this very simple style sheet. It has a HTML view, which looks like this. And that's very similar to the initial PDF, but it is now in a textual format, which is very lightweight on the first and can be dived and can be directly linked into because now we can use anchors and every item in it has its own linkable ID where it before had its theoretical ID or its administrative file number. So that's the result and it's deployed on a web server with nearly nothing in terms of database or stuff. So thanks a lot. That was it. Thank you. Next up is Meetling in four by three. Okay, hi everyone. I'm Sven and today I want to talk with you shortly about meetings. So if you ask the internet, the internet knows meetings are just broken. Okay, not all of them, but many of them. I think many of us have been there and they are broken in many, many, many different ways. So I can fix meetings here in five minutes. I just want to focus on a few problems related to the preparation of meetings. So if you imagine like a classical meeting around table, a bunch of people around it and they discuss some topics from an agenda, many people have this feeling depicted by our beloved sci-fi hero here. Why, oh my God, why do I have to go to this meeting? So let's look at some problems why that could be the case. First of all, in so, okay, thank you for it, yes. First of all, there could be an issue of transparency. Like maybe you don't even have an agenda. So I don't even know what will be discussed at this meeting or there is an agenda, but someone forget to send it around or just some people got the agenda by mouth to mouth propaganda. So this can be very demotivating. The larger point is relevancy. So I go to this meeting and I have the feeling, okay, why does it concern me? What does it have to do with my work? Really, I just have to be there, but I don't know why. So I think these are the two biggest motivational problems. A smaller one is the workload. So most often you have one moderator that also prepares the meeting. He has to do all the work that might be okay, but it can be quite hard to know what is relevant in a meeting for everyone that attends. And if you have like a not company setting, like an activist politics group or something where people do this in their free time, it's like it can be a high workload just to prepare. So a good moderator, a good preparation can solve those problems, but maybe we have a more creative solution and what I propose is make the preparation of meetings more horizontal. So let the participants take part in the preparation. If you let them take part, let's say there is some place where they can gather points that they want to discuss. So every participant can just propose agenda items and so on. So they see the agenda while taking part in the preparation so it's more transparent. I will logically just propose agenda items that are relevant to me. I can still propose some that are not relevant to others. So this doesn't solve the relevancy issue, but at least it makes it somewhat better. And you can distribute the workload somewhat. This is not a statement against a moderator that prepares the meeting. Well, I think a hybrid approach is cool. So like everyone can take part in the preparation and then there's this one guy or girl that just takes the agenda and clears it up a bit. So if we think this could be a cool solution, then we need a way to do it. And I propose this. It's called Meetling. It's just a very simple web app with the goal to collaboratively prepare meetings. Yeah, what can you do? No magic involved here. It's just like you can collaboratively draft an agenda. Everyone can propose agenda items, edit the meeting details and so on. This should be all or is very simple to use and there's no registration step or something like that. You just have a page, you have a link, you share the link with your coworkers or whoever attends the meeting and then you're set. And so I think most of you know Doodle. If Doodle is for metadata of meetings, like when do we meet, then Meetling would be for the contents of the meeting. What will we discuss? Yeah, for the tech people, what is the stack? It's like Python with tornado as in I owe a web server. We have a Redis database, some JavaScript, Modem, HTML and so on and so on. Let's have a look. Like I said, no magic there. It's just, this is what a meeting would look like. You have some broad description of the meeting and where it is and so on. And then you have the agenda and everyone can propose stuff, delete items, whatever. Yeah, so if you like the idea, you can just use it. It's free and it's online and it works and it's used in production already. So go to Meetling.org. It's of course open source. So just follow this GitHub link and I'm looking forward to your issues and feedback and pull requests. If you have any questions, there's my contact info. Thank you. Thank you. Next up, the Yara rules project. Yara rules in 16 to nine. Okay, so hello. I'm here to talk about a little project some friends started. It's called Yara rules and first of all, for those of you that don't know about Yara, the app it's based on, I'm gonna talk a little bit about it. Yara is a tool that its principle or its initial aim was to help malware analysts to malware researches to identify and classify malware samples but from over time, there have been many other use cases as we will see afterwards. Well, with Yara what you can do is you create descriptions of whatever thing you wanna look for based on text or binary strings, binary patterns. And then in each rule, you put this set of strings or patterns and an expression that tells the application the logic of the rule. Just a little example. Here you have a rule that on top it has the name and some tags. The first part is the metadata. Then the second part are the actual strings that will be matched against the value you input to the application. And then last is the condition. In this case, either one of the, at least one of these three strings has to appear in the file. So you have seen that it's more or less easy to write the rules but there was no centralized point for these rules to be kept on. So we made it on GitHub so it's open source, it's public, you can go there. A repository, a community contributed repository of Yara rules. And in that repository we maintain it and try to enrich a little bit the rules. First of all, categorizing them. The principal category is malware but you also have a mobile malware that this part of mobile malware is very interesting and it's possible thanks to some friends of us that made a module for matching Android apps with Yara and also you can have crypto, anti-the-book techniques, general utilities, rules matching emails or email addresses and so on. And also a part of categorizing it, we add tags to the rules, we remove duplicates and we'll start soon to optimize some of the rules. And that's how we created Yara rules because we think Yara is a very useful application and wanted to spread the Yara word to the world. After creating the repository, we wanted to spread the word of Yara further and created just a webpage where you can upload any file you want and we will run it through all our parts of the rule set we have on GitHub. You can see the main page here and you can choose any rule set you want. When you upload that file, it goes on the page of analysis that looks like that and when you click on a link, you can see all the characteristics of the result and for each category to see if it matched or didn't match any rule and then if it matches, you can see the matches and the meta of the rule that has matched. Here you have some resources. That's it. Thank you very much. Thank you very much. Thanks. Thank you. Never again. Tech pledge, it's four by three. Hi, my name is Ping and I'm a Canadian living in the United States. I want to tell you about a project that I helped organize. This is very recent news. This all just happened in the last couple of weeks. So you might have heard that Donald Trump invited the leaders of some major technology companies to meet with him at Trump Tower. He's included executives from Google, Facebook, Microsoft, Amazon, Oracle, and so on. And this was a cause for concern among many of us because Trump has made many negative statements about immigrants and Muslims before. When asked whether to build a Muslim registry, he replied, certainly we would implement that. Absolutely, he said, he would deport millions of immigrants immediately. He has said, I want watch lists. I want surveillance. I want a database of Syrian refugees. And these major tech companies have the data and systems that could be used to track these people. So it's reasonable to be concerned that Trump might ask them to help or pressure or even bribe them. And the leaders of these tech companies were not making any statements or taking public positions about it. So my friend and colleague, Lee Honeywell, thought that maybe as individuals, we could take our own stand. And so she drafted this pledge, which she helped other people help her edit. A bunch of us worked with her on it. I helped her edit this. And you can see here the final version of the pledge which we published. And it acknowledges the role of technology in mass injustice, such as the way that IBM collaborated to make the Holocaust possible, and contains a list of commitments. So people who sign this pledge are promising not to help build these databases, are promising if they discover unethical use of data for this kind of targeting in their companies and organizations to work to stop it, to blow the whistle, and if forced to participate to resign their jobs rather than cooperate. So this is quite a strongly worded statement and we plan to go public with it on December 13th, the day before Trump was going to have this meeting, so the media would be reporting on it while the meeting was taking place. We collected about 50 signatures to publish with the pledge initially on launch. We prepared the media for the launch and we indeed published it on December 13th and started collecting signatures publicly. Within a couple of days we had over a thousand signatures, so you can see people here, from all of those major tech companies I mentioned, all across the US tech industry signed this pledge, not just engineers, but also managers, directors, even founders and CEOs. And from some companies we got mass signatures. People would organize inside their companies as a group to have a signing party and then send us 30 or 50 signatures at once. So we were reported upon in the news quite widely. We got in the tech press in CNN, also reported by Al Jazeera and Forbes in the New York Times. And we even got exactly the headline we wanted, which is on the day of the meeting on the headline was while tech leaders talk with Trump, their employees pledge a fight. So we worked very hard to verify all these signatures. We had thousands of them coming in and we had volunteers confirming that each one was actually a person signing on their own behalf. So after a week of working day and night, we decided to stop publishing new signatures after we collected 2,800 signatures to this pledge. And then the next day, the New York Times published this article on the closing of NSEERS, the Muslim Tracking Registry for Immigrants in the States and contains a statement, Facebook, Microsoft, Google and Apple are among several technology companies that publicly stated they would not assist the new administration developing any program to collect information that could be used by the government to track immigrants from Muslim countries. The technology companies took action after thousands of Silicon Valley engineers signed a pledge saying they stood in solidarity with Muslim Americans and immigrants. So I'd just like to take a moment to credit, there's another slide missing here. Okay, I'd like to take a moment to credit people involved with this. So there's an about page on the site, neveragain.tech, which is where this pledge is, which you can read to find out more about who is involved and how it took place. I'd like you to take away three things from this. So first, this is not a petition. We are not appealing to authority to do something for us. It's a pledge. Each person is making their own promise and making a promise helps other people also refuse. The second is we did a lot with a little. It only took a couple of weeks of work to do this, but because of the timing, we were able to have a large impact because the media was reporting on this issue. And the third is never forget that as an individual, you have extraordinary power. It is not only acts by Trump that will need to be resisted. This is not the only one. It is not only acts in the United States government that will need to be resisted. We need resistance all around the world and you can organize that resistance. Thank you. Thank you, thank you. Next up is cybergreen and four by three ratio. All right. This is the next slide. Yeah. So I'm Aaron Leverett or BSB. I'm Aaron Kaplan, spelled differently. And you can hear from my voice that I've been talking way too much at this conference. We'll try. All right. So this is the project called cybergreen. First of all, I want to apologize for the name. The name was already there before I joined the project. I know cyber doesn't sound very cool here. Nevertheless, bear with us. The project is quite interesting. It's about metrics. So I'm going to hand over to the other Aaron now to talk about it. Well, you would say it was interesting because of course you work on it. But so do I. And the gist of this is that we think there's not enough empirical science in a lot of security. There's not enough measurement. And we're also particularly interested in not risk to a particular target, but from other places. So we're looking at a variety of different DDoS risks. And we'll talk a bit more about that in a moment. So in general, IT security flaws, not enough empirical data, not enough transparency. People will publish a methodology, for example, in a scientific paper. But they won't publish the code or the data that they use to do that research. And it makes it much more difficult to verify their research and see that the methods that they are applying to fix these problems work. And not enough agreed upon metrics. So what we're trying to be is rough metrics in the land of no metrics at all. So we know that some of these metrics won't be quite as accurate as we'd like. But we do have some raw counts about DDoS reflectors. And essentially what you can't measure, you can't improve. So science ideally should answer a question. And the question we want to ask with this particular project is how big of a risk do we pose to others? So as a particular ASN or as a particular country, how many reflectors, DDoS reflectors, are we hosting? That's a network externality on the internet. You could view it as a health problem. You could view it as pollution. This is essentially people who are not doing a good job configuring things and have a very serious impact on others. A lot of people think of DDoS as a good thing, sometimes in some circumstances. But when anyone can DDoS anywhere, anyone else, it's a form of censorship. And it's exactly the form of censorship that we would like to resist in much the way the previous talk was talking about. So we're focusing on countries, ASNs and protocols and the protocols we're interested in currently and we will expand in the future our DNS, NTP, SSDP and SNMP. So I'll hand back over to Aaron to talk a little bit about the rankings. All right, so thanks. So currently we started small with these couple of protocols because they can be used for UDP amplification attacks. And we just developed a score. The score is still evolving. The next iteration of the score will really have basically the number of, let's say, open recursive DNS servers, open NTP servers, et cetera, and multiply by the amplification factor. That will be the next metric. So the nice thing when you do collect data, let's say from scanning, you can develop interesting metrics with it. You can really develop a score similar to SSLlabs.com, make that public, also make the aggregated data public. Very important. We can rank by countries. We can look at the individual ASNs. We can have timelines for the individual ASNs. So this ASN in Singapore is generally doing pretty nicely. Here you can see it's all decreasing. However, there's a slight increase here. The question is why? Usually when you see a linear, slight linear increase of something in this area, it's no CPEs, it's no devices being rolled out. So you can suddenly start to talk with the ISP and say, hey, why is that the case? Maybe you got something by default from the vendor, which you shouldn't have. So they'll be very happy to actually usually talk with you. So another thing that we can do with a new metric with an updated metric, if we have the amplification factor in the counts, like an amplification factor times number of open recursive DNS servers, et cetera, we can summarize these and create a global DDoS potential time series, for example. So right now with these four different risks that we have, I know these are not all. And under the assumption that every IP address has an average one NBIT connectivity, I know you can argue about that, but we can improve that in the future. You'll get like a four terabits per second, roughly DDoS amplification capacity. So it's quite interesting. So you can do a lot with that data. As I said, the data is being made available on the web page. And yeah, pretty much that's it. Well, also we have an API. So get out there and use the data and do your own studies, have your own opinions about what's going on with this DDoS potential on the internet. Thank you. And if you, we look for people who want to join this project. So please get in contact with us. Thank you. Thanks. Now the last four, the last talk for today is how eCrypt FS and E4Crypt make security worse in four by three. Yeah. Hello. My name is Tim and I had a look at eCrypt FS and see a few files, files, file-based crypto file systems. So basically there are three around. One is NKFS, which is completely fuse-based and not so bad. And two, eCrypt FS is a kernel-based file system on its own and E4Crypt is actually an encryption layer on top of extended four, the standard Linux file system. So these file systems come with a few security reasons and risks. NKFS, a good one tells us what these are. Yeah. And then I had a look at eCrypt FS manual and this is a bit interesting because it has a tool called eCrypt FS at Pathphrase and this tool puts out a signature that you later use to mount the actual file system. And now I was really confused because what the heck do they mean by signature? Where's the private key for the signature? Why is it looking like a checksum? And data is checksummed here. So what is the purpose of the signature? The purpose of this tool is to add a Pathphrase to the kernel key ring so that eCrypt FS can use it later while others can't. The kernel key ring stores passwords identified by labels. This is how that looks. You see the label on the right side. And so this is a label, actually. You can use day of birth as a label and the actual day of birth as a password doesn't make sense at all. Yeah, later I looked into the code and yes, they really do some checksumming here over the Pathphrase and use it as a label. So this means they really did it. If you check in your Mint or Ubuntu installation that button down there, eCrypt your personal data, this actually means that a pretty good kind of your password is published system-wide when you have a look at the mounts and every user has access to a hash of your password. It's not that we invented ETC Shadow 20 years ago to prevent this. And it's not even a good hash, it's very short. So I calculated you need without compression about 15 terra of space for a good rainbow table. So what about E4Crypt? Actually, E4Crypt does the same. It has E4Crypt add key, which where you can enter a Pathphrase, you add a key with a descriptor, added key with a descriptor and yeah, it basically does the same. At least it provides you a documented salt option, which is undocumented in the previous tool, but basically same issue. So why did they not use a checksum over the mount point as a label? And what else did the developers mess up with? These are the questions that they leave us with. I have no idea how one comes to that idea to drop behind to the password in the label. And on this terrible disappointment, I reported a bug to Ecrypt FS one year ago when I discovered that it's lying around there. And yeah, I started using full disk encryption with LUX, which actually works for me. Thank you. Thank you. All right, so the lightning talk sessions are over for this Congress. Please give a huge round of applause for all of the speakers who came up to the stage and had the courage to talk to us. Also, again, a big applause for the translation team who did awesome work on translating all the talks.