 Hello party people get ready to clap Welcome to the chaos West stage. We're now Jeremy Rand the chief developer of an amazing coin called name coin We'll talk about Even more amazing stuff Please have a no don't don't don't clap right now because we just had Jeremy the floors is all yours Thank you Alright, so I'm Jeremy Rand lead application engineer of name coin Okay, so For those of you who aren't familiar with name coin the brief one slide Introduction is think DNS, but secured by blockchain We are using the dot bit top-level domain We're the first project that was forked from Bitcoin way back in 2011 It uses special coins in Bitcoin terminology to represent names and We originally started out doing sensors of resistance as the primary use case But more recently we got we realized that privacy was a really important use case as well, and so we started Doing things with TLS because we thought TLS could use some blockchain love So for those of you who aren't familiar with how the certificate authority system works in TLS so TLS is the protocol that is used for authenticating websites with that use hdps among other things and TLS relies on these corporations called certificate authorities and these certificate authorities have the ability to to Misissue certificates if they choose to or force to or do so accidentally that can impersonate websites and this is really really bad Sometimes they've been Compromised by people who maybe were affiliated with Iranian intelligence agencies. We don't really know details And sometimes certificate authorities just are totally unethical companies There's a certificate authority called start com which basically tried to hold the entire internet hostage during the heart bleed crisis a few years ago And they suffered pretty much no major repercussions for that action So we'd really like to get rid of certificate authorities completely or at least as much as we can so there have been a lot of projects proposed over the years to try to get rid of certificate authorities or replace them in some way and A sampling of them is up here One of the better-known ones is called convergence It's by Moxie Marlin spike and the idea of convergence is rather than having to trust certificate authorities that are chosen by Either the website or the attacker impersonating the website the user gets to choose which trusted parties they want to authenticate websites and This is called trust agility And it's a legit it's a legitimate idea, but there are some problems with it as I'll get into later Another project that exists is called Dane which uses DNSSEC to replace certificate authorities the idea being if you can securely get information about a domain name then you can Verify what certificate is valid for that website and There are a few other projects out there that are trying just to Limit the amount of damage that a malicious certificate authority can do so these are things like HPKP, which is a public keypinning Things like certificate transparency So there's a lot of projects out there that are trying to fix the certificate authority issue but what's missing in all of them is The problem is all of those solutions that try to mitigate the problems of the certificate authorities They don't fix the underlying problem, which is that there are still a set of trusted parties who have the ability to Man in the middle a TLS connection at least at some point. They may be detected later, but at that point it may be too late So what we'd like to do ideally is make sure that only that no one is able to Impersonate a website via man in the middle attack and that if they try we want to be absolutely certain That it will be detected during the TLS handshake, and we don't we don't want any trusted third parties for this so The idea here is actually a fairly old one As I mentioned earlier Dane is a project that actually is very superficially similar To what namecoin is trying to do here the idea that Dane had is that If you if you can securely get information about a domain name using DNS sec and you trust DNS sec then you can just get a TLS certificate fingerprint over the DNS and then you're good you can just verify based on that and You know this is this has been standardized by IETF. It's a it's a reasonable spec The problem is do we really trust DNS sec DNS sec is controlled by the I can root key and all of the DNS registrars and registries That's a lot of trusted parties as well. So You know this may not really be ideal But on the other hand, maybe we do trust namecoin because it's backed by a blockchain To actually do what DNS sec tries and possibly fails to do So at least in theory, this should be fairly straightforward. The idea would normally be that you have namecoin just put DNS records which match the records in the Dane spec and Then it should just magically all work namecoin is interoperable with DNS pretty much completely So the problem here is It really is not that simple And I'll get into that in a moment, but basically In theory, you can even sign namecoin records with DNS sec using a local DNS set key So anything that speaks DNS sec and knows Dane should be able to handle this pretty much transparently The problem is that there aren't any web browsers that know how to use Dane And as a result we can put secure DNS records into namecoin that talk about TLS fingerprints, but that just isn't going to be read by any web browsers that exist and so There are some proposals in The web browser development community for having those Dane DNS records just attached in the TLS handshake as part of a stapled record The problem with doing that is that in order to sign namecoin records with DNS sec The DNS sec key is going to be generated on local host So the remote server is not going to know your DNS sec key It's not going to be able to work for that and so that approach which by the way also still isn't actually implemented in any web browsers That doesn't work either And unfortunately the chromium security team in particular has completely refused to even entertain the possibility of allowing for example browser extensions To To customize how TLS works in any way So there are a few methods that exist out there which can be used to sort of coerce a TLS implementation like a web browser into totally customizing how certificate validation is done The most well-known and probably most dangerous method is called the intercepting proxy This basically is a proxy that terminates TLS coming in and creates TLS coming out So the problem here is that that means the proxy has to do everything TLS related on its own And if you remember the Lenovo super fish bug that was in the news a while back the reason super fish happened was because Lenovo was was running an intercepting proxy and they made a mistake in how they implemented it and It Totally broke the security of the system and so from our point of view We don't think that intercepting proxies are really an acceptably safe way to customize how TLS works Even though they are very flexible and they would do what we want functionality wise There's also a browser extensions that do exist. There's one called DNS sec validator Which actually claims to support Dane in web browsers like chromium and Firefox The problem with that is that Just sort of on a whim When I was taking a network security course at my university. I said hey come for my mid-term project Can I audit DNS tech validator and see whether it actually is secured all against man in the middle attacks? And my professor said okay, and so I audited it. It took me about 10 minutes I did a man in the middle attack using a local proxy and I looked to see what DNS tech validator would do about it. Well, it did pop up with a warning that said hey This is the wrong certificate. The problem is it did that after my login cookies had been sent to the attacker and After the sensitive information from the server had already been sent back and captured by the man in the middle attacker as well so, you know, I mean The the underlying problem here isn't so much that the DNS tech validator developers have a problem It's that the browsers just don't offer good API's to do this securely So the DNS tech validator developers for working with the best thing they were given but they're the approach of using a browser extension Just doesn't work right now There's also something called search him which uses this fun shared library LD preload magic which can basically override the functions in a certificate validation library that validate certificates and That kind of works the problem is to do that It's using data structures, which are just C structs that are not part of any public API And if you know if open SSL or nss or some library like that changes that internal data structure in a in an upgrade then all of a sudden search him would be messing with the wrong data and As far as I can tell there's no way to be sure that wouldn't lead to some kind of dangerous memory corruption And so I really don't think that's very safe So all of those all of those existing solutions had a lot of problems and we basically decided let's try something totally different So something to keep in mind here is there are actually two different problems that need to be solved here Which which we refer to as positive and negative overrides. So basically if there's a self-sign certificate That does match what the blockchain says we want that to be accepted even though it's self-signed But also if there's a certificate that's valid according to a certificate authority But doesn't match the blockchain we want to make sure that's that gets rejected. So there's two problems here We have to solve and It turns out these two problems are actually almost entirely orthogonal in how to solve them So you may have noticed that you can just add a certificate to your your operating systems a trusted certificate list and Then that gets accepted by your web browser even if it's self-signed But this is a really really dangerous idea for lots of reasons most majorly just that if you If if the certificate is valid as a certificate authority Well, then when you insert that then the attacker who controls that certificate that you got say from the namecoin blockchain They now have a sort of a malicious certificate authority that is on your system. They can now impersonate everything and Generally speaking certificates they follow the x509 spec x509 is incredibly complicated None of us felt up to the task of trying to audit Every every single attacker controlled certificate automatically to see if it had anything dangerous in it before we inserted it into the trusted certificate list and So, you know, we kind of didn't like that and there's also of course the problem that a certificate is actually pretty big Ideally we just want a public key hash because that's really small and fits in the blockchain easily Fitting an entire certificate into the blockchain is just prohibitively expensive. It wouldn't scale So those are the problems that we encountered there So this is a chat log from a conversation I had with our lead security engineer Ryan Castellucci and Basically as you can see Ryan asks how small can we actually make that certificate and I said well probably not small enough and then Ryan says let me do some wizarding and And then he comes back a few minutes later and he says yeah, we can actually make it fit if we cheat So what is this cheating? He refers to? The idea is that you have this concept called a dehydrated certificate and the idea is The data you put in the blockchain Consists of a very very small subset of the fields that are valid in a certificate So all you're putting in is the public key the signature the The start and end dates for the validity period and also of course there's the domain name itself that it's valid for Which isn't even specified by the attacker the browser knows that because that's what it looked up and So We're also using ecdsa rather than RSA because ecdsa is of course a lot smaller and This actually scales really really well So if you compress a by a binary certificate by dehydrating it You wind up going from 464 bytes to 104 bytes So it's really good a level of compression a name coin name can store up to 520 bytes So this fits reasonably comfortably In practice we had to add some bytes because we're encoding it as JSON And we couldn't use compressed public keys because libraries didn't support that very consistently But yeah as in terms of Scalability this works great that solves the scalability issue, but what about the security issue? Well, it turns out that this actually solves the security issue as well Because none of those fields that the attacker controls things like the public key or the signature None of those can actually be used to make the certificate valid in a totally different context than it was expected to be used in basically if the attacker tries to Dehydrate a certificate that's valid for something. It shouldn't be valid for The signature is not going to end up matching because when it gets Rehydrated it just it gets filled in from a template the template won't match what originally was the signature check will fail And you'll get a certificate error So Ryan came up with the math behind this. I'm the one who actually implemented it And I didn't want to use open SSL for this even though that's the standard tool that you would use I just don't trust open SSL. Their API is impossible to use properly as I'm sure we all know I also don't really trust C or C++ code very much for memory safety issues conveniently name coins DNS bridge software uses go and go has a really really nice X509 processing library and so we went with that There were some issues because goes X509 library is actually a little bit too high-level. There was no good way to actually splice a signature into an existing certificate I ended up having to do some mildly weird stuff with a script that automatically would copy the standard library version of the X509 library into the Into a new package and it would then add a function that could do the splicing using private functions so I mean it kind of made our hair crawl a bit and It's not the cleanest thing out there, but it does work so from this point what we ended up doing is When we get a DNS request for a name coin domain name which gets processed by code that we control on local hosts instead of replying immediately with the data we insert that TLS certificate that we've rehydrated Into the trust the certificate list and then once we've done that then we reply with the DNS record and This actually works surprisingly well because it turns out that both crypto API in Windows and NSS on Linux they actually Those things we inserted take effect immediately So you don't have to restart the browser or anything like that, which was kind of surprising That said crypto API on Windows has lots of stupidity in its design among other things it normally wants you to be an administrator to actually add a certificate and it's also really slow for reasons I couldn't figure out and Even if it weren't slow running as administrators not that safe so turns out that Windows crypto API actually stores those certificates that you add to it in the Windows registry as binary blobs Which is a little bit odd, but it is Microsoft. They love their registry and Of course to make things worse. It's not even a standard DER encoded Binary blob. It's a special encoding that Microsoft made and while I was a reverse engineering what it did I realized the reason they did that was because they wanted to cache the results of hash function evaluation Note that they're not caching the results of RSA or ECDSA which are hundreds of times slower So I don't know why an earth Microsoft made this so complicated But in any event I did successfully reverse engineer how those certificates are stored in the registry The Windows registry has a permission system with standard ACL. It's just like the file system So we don't actually need to run as an administrator anymore We can just create a separate user that has access to that exact registry key and That all works and here you can see a screenshot I'm not sure how visible this is from where you are but this is a screenshot of a name coin domain name with HTTPS and this is Chromium Saying that yes, it verified successfully so that was the positive overrides now we move on to negative overrides and Actually, it turned out that this was a lot easier than trying to do with a positive overrides At least it's easy with some caveats The trick here is that we're abusing HPKP, which is the public key pinning spec in web browsers So normally if if you're not familiar with how HPKP works Basically a website can opt into having a whitelist of acceptable public key hashes for its TLS connection and if it doesn't match you get a public you get a public key pinning error and This is rather interesting because a lot when HPKP was being written as a spec a lot of people were like hey Wait a minute. What if I want to intercept my own TLS connections? and So what what the decision was was that okay? You can intercept your own TLS connections because if you add your own certificate authority to the trusted certificate list It will actually not be subject to HPKP and The logic there actually makes sense because if an attacker has the ability to add arbitrary certificates your trusted certificate list Then you know probably they have a lot of access to your machine. They can already do horrible things to you But wait a minute that means all these certificates we added as positive overrides are exempt from HPKP Can we use that for something clever? So let's say we take the domain name bit Which is the top-level domain that namecoin uses and we set a public keypin on that including all subdomains And we just set it to a public key hash that no one has the private key for Well, then all of the certificate authority is that are trusted by the browser by default They won't be able to issue any certificates for it because it won't match the public keypin But all of the things we added as positive overrides are exempt from that So as a result the self-signed certificates that we're adding that came from the blockchain via rehydration Those will work, but if it's signed by a certificate authority, it won't work. So that solves the issue there And in particular we ended up using as the public key hash Ryan suggested to use one over pi Scaled to 256 bits which seems to be fairly good as a nothing up my sleeve value And turns out that chromium actually stores all this data in just a JSON file With all of the all of the keypins and so it's trivially easy to make an installer for namecoin Just edit that JSON file when you install it so that the keypin gets put in place and So this is an example of what it would look like hypothetically if If a malicious certificate authority issued something that it shouldn't for a namecoin domain now here You'll see it's google.com because we tested it by setting the keypin on calm rather than bit But yeah, this basically demonstrates What would happen if someone Misissued a certificate for a namecoin domain name even if there are trust that certificate authority It will not be allowed and it will say pinned key not in search chain So that solves that problem as well There is a problem though here. You might have heard that chromium is deprecating HPKP soon It's expected HPKP will be removed from chromium sometime early to mid next year so What are we going to do about that? um on Windows specifically Windows itself actually has a keypinning mechanism built in In fact it has two one of them is called emet one of them is called enterprise certificate pinning The latter only works on Windows 10 the former works on pretty much every version of Windows And so I'm pretty sure that I can adapt those systems to do what we want here But I haven't actually coded that yet So I have some work to do before the next chromium release comes out it's next year But the bigger problem there is that on GNU Linux, there's just no standardized method of doing certificate pinning So if by any chance anyone here in the audience develops TLS implementations for GNU Linux You really might want to consider adding some mechanism to customize what Certificates are valid even if it's just negative overrides or even if it's just adding Public keypinning that would be good enough for what we're doing and it would help a lot of people Over on the Mozilla end of things though Mozilla actually does appear to recognize that this is a use case that matters And they've actually expressed a tentative willingness to merging code that would actually add a browser extension API for customizing TLS certificate validation and This is awesome because clearly They recognize that being able to customize how things work is an important part of free software and They're not trying to you know just play nanny with the user. So that's good And I want to especially thank David Keeler Andy McKay and Andrew Swan at Mozilla for answering a lot of questions I had while I was writing a patch for Firefox that would implement this that patch is about halfway done Maybe a little more than that. I'm planning to submit it upstream to Mozilla So maybe in the foreseeable future people who use Mozilla based browsers will actually be able to just install a browser extension and then they'll have namecoin TLS validation working without any of this ridiculous Dehydrated certificate magic that we're doing for supporting chromium But in the meantime if you want to play around with the code that we've produced for using chromium on Windows With the dehydrated certificates it is available right now. It's released it works so go to namecoin.org and Go to the downloads page click on beta downloads. You want the ncdns for Windows installer Oh, and if you if you want to test it so you can click you can just go to nf.bit Which is the namecoin forum and If you if it and if you have ncdns for Windows installed that will actually work and it will validate the TLS certificate properly And yeah, as I said if you work on TLS implementations, please help us not use insane stuff like dehydrated certificates We don't like doing that kind of magic. We were forced to So that is all I have for you I'm happy to take questions and in addition if you want to contact me privately as well I'm going to be here at the Congress. You can also email me Hopefully my namecoin t-shirt will make it obvious where I am. So yeah, thank you Jeremy Jeremy. Thank you very much for this very nice talk. Technically it is was you explained very good the pros and cons It's my understanding and understanding right that the negative override is not yet implemented the negative override is implemented for for chromium on Windows It's actually implemented also for chromium on GNU Linux Although we don't actually have an automated installer for using the positive overrides on GNU Linux yet So right now we're only advertising Windows support Even though you can get GNU Linux support to work if you if you're if you're persistent The problem with the negative overrides right now is that they will stop working silently Once chromium releases the version that kills HPKP. So for now it's safe, but When you upgrade chromium eventually eventually it will stop working and that's why we're I'm planning on Reimplementing that using the built-in certificate pinning that Windows has I mean I don't expect that to be incredibly hard But on the other hand, it's Microsoft. They do strange design decisions. So We will see how that goes. I'm hoping to get on that in the next month or two But in the meantime until chromium ships the new version that kills HPKP It works completely out of the box right now at least if you're using chromium on Windows Okay, I understand. Thank you. So I have three more questions for Jeremy in the meantime you can think about questions too and Are you ready for the hot seat three hot questions? Sure. Why not? So you say it's name coin, but why is it not name chain? I think it's closer to the blockchain than it's to the Bitcoin That's a totally fair question interestingly originally when the name coin Project was being designed initially it was called bit DNS and at some point Okay, so bit DNS was originally just sort of a proposal slash design. It wasn't an implementation and The person who actually implemented bit DNS into a working production-ready System that had a production blockchain His name's are Vincent Durham. Although that's that's an alias not his legal name He decided to call his implementation name coin and I honestly don't know why he chose that it has caused a lot of confusion because a lot of people think oh name coin that sounds like a really good Investment vehicle for making me loads of money when my coins go up in value and I mean, you know We're okay with people buying name coins if they really think it's a good investment, but we don't view that as the primary use case We don't cater to that use case much. So yeah That said I think one way you could argue that the term name coin is accurate is that the Names in name coin actually are just special coins. There's special coins that have a monetary value of one name sent and they also have some extra data at the beginning of their script pubkey field and That extra data includes some special op codes which tell the name coin system This is a name coin as opposed to just a coin So yeah, you could you could argue about whether it's a good term From a marketing standpoint, but yeah point taken Thank you very much. The next question is about how How many developers are there and how do you guys work? What's your how do you work? remotely together What are the tools that you use? yeah, um So every time I get asked how many developers we have I tend to give a different answer each time Due to the fact that as a as a mostly volunteer run free software project We do have people, you know either start participating or stop participating or take a break things like that If I had to come up with a number right now, I'd say probably we have like seven or eight developers who work on stuff regularly To varying degrees of participation So, you know, we're a lot smaller than Bitcoin. Obviously. We're even a lot smaller than something like Monero That said, I think we I think as a team we work pretty well together We generally have a fairly the cohesive vision of What kinds of functionality we want to see We may just we may of course disagree about exactly how to get there, but we do work together pretty well In terms of how we communicate and stuff like that We have a matrix channel Which is bridged to IRC for people who prefer IRC Most of the communication happens via that Obviously we use a github and stuff like that as well But yeah, things things actually work work out pretty well given that we almost never see each other in person There's there's a there's a namecoin developer here in addition to me. I first saw him I first met him in person yesterday Even though he's been involved with namecoin for many years So, yeah, your program languages go then is that correct? the implementation of the Namecoin to DNS bridge is in go The namecoin core client which does all of the all of the blockchain consensus stuff that is in C++ To be honest personally, I wouldn't be too opposed conceptually to moving everything to go I enjoy go a lot more than C++ the problem there is that Since we're a fork of Bitcoin and we merge lots of changes from upstream Bitcoin core That produces problems if we deviate too far from what the Bitcoin community uses and right now The reality is that in Bitcoin land the dominant implementation is Bitcoin core, which is C++ So we're stuck with that for that purpose But for all of the projects that we that are completely our work like the namecoin to DNS bridge Yeah, we're using things like go Occasionally Python Just because those seem to be a lot safer than C++ or C Cool. Thank you very much Any questions from the audience Well, please come come here I will be standing there Hi, thank you for the talk very nice nice talk. I just one question. I was wondering how How difficult would it be to rewrite the namecoin chain and would that be would that be dangerous for the CA For this for this application Um as in rewrite the chain you mean as in like a blockchain read organization Yeah, and like take over the majority of hash car power right 21% attack. Okay. Yeah So right now Namecoin is relatively resistant to that because it's merged mind with Bitcoin Which basically means that Bitcoin miners can just add some extra software to their mining rigs And then they get some name coins effectively for free And so there's a lot of Bitcoin miners who are mining namecoin and in fact There was a rather hilarious incident a few weeks ago where so as you know, there is a There was a hostile hard fork attempt of Bitcoin, which they call themselves Bitcoin cash some people call them be cash and and so They actually stole a lot of hash rate from Bitcoin short-term and Well that well that whole incident was happening Namecoin actually ended up with more hash rate than any other cryptocurrency including Bitcoin Oh, and the and the reason for that is that all of the Bitcoin miners were mining namecoin as well But all of the all of the Bitcoin cash slash be cash miners were also Mining namecoin as well And so we actually had as much hash rate basically as the Bitcoin and Bitcoin cash slash be cash Miners combined. You're the real net real Bitcoin then I know Samson most said that on Twitter. It was hilarious. He said oh crap now namecoin is the real Bitcoin Thank you. Thanks Thank you very much I have two questions first. Did you consider Registring top-level domain the dot bit as a TLD that wouldn't solve of course all the TLS issues But at least competitively. Yeah, okay, so this is an interesting question um Generally speaking the registration process for GTLD is generic TLDs through ICANN Requires that whoever is registered as the operator of that GTLD. They need to comply with trademark takedown policies and As a decentralized system that's using a blockchain We're not able to comply with ICANN's trademark rules if someone is squatting on a trademark's name Well, that's too bad. There's nothing we can do about it And so we weren't able to we weren't able to go that route Also, it would cost a lot of money which would also be kind of prohibitive since we're a small free software project without much funding Although I should give a shout out to NL net foundation. They are funding us at the moment So if anyone here knows people from NL net foundation, please tell them. Thank you for supporting awesome stuff but There is an extra Procedure that could be done instead of a GTLD registration and this is called an SU with TLD special use top-level domain The idea is that you can you can get a top-level domain registered as not belonging to the DNS it's for special use only and We actually tried for quite a while to get dot bit registered as a special use top-level domain There were some political incidents there that I don't want to go into detail on But long story short tour was able to get dot onion Registered as a special use top-level domain, but we were not able to get name-point registered at the same time We are Continuing to pursue that option We're hoping that maybe that'll happen at some point But yeah for the moment it we were not able to make that happen short-term That said as far as I can tell it's extremely unlikely that I can would have any interest in issuing Dot bit as a GTLD just some random person who wants to steal it from us From everything that I've seen coming out of I can they recognize that if they were to issue a Top-level domain that is already in active use elsewhere That would be disruptive enough that they really wouldn't want that disruption to the internet ecosystem So I mean short-term it's not really a huge problem that we're not officially registered But we would like to fix that anyway, and we do plan to keep pursuing that Okay. Thank you. The second question is I first got into name coin a bit when I was Mining myself back in the day when it still was profitable to do that And then there was a thing called a dual mining where you mined name come simultaneously with Bitcoin, right? Yeah merge mine. Yeah, yeah much mining But I think today it's not really supported by a lot of pools to do that Do you have any effort to evangelize that to other pools so they can maximize profit and you the hash rate? That's a good question We have done some efforts to ask pools to mine name coin since they're mining Bitcoin already anyway But in practice, it's turned out that we actually don't end up needing to contact pools about that Just because empirically it looks like weeks We seem to keep going up and up towards 100% of Bitcoin miners just on their own because the Bitcoin miners have realized That mining is so competitive now that if they don't mine name coins They're losing out on money that might affect whether they break even and so you know We're always happy to talk to miners and give them tech support if they're having trouble setting it up But in practice we've found that we don't actually need to actively evangelize They tend to have an interest in using name coin on their own That said I should point out that It wasn't always the case that that was true up until about two years ago F2 pool had a majority of name coin hash rate all by themselves and Obviously that that's kind of problematic that meant they could have attacked name coin at any time That's no longer the case. They they now have a relatively small hash rate percentage, but We were concerned about that of course We knew the F2 pool people because they actually funded name coin development for a couple of years And so we were pretty sure they weren't going to attack us and ruin their own investment But even so that's not the ideal situation to be in F2 pool also did Help us out tremendously when there was a fairly interesting emergency that happened People here may or may not know a couple years ago Peter Willa from Bitcoin Dropped a zero-day on the Bitcoin dev mailing list that basically described a way to cause a chain fork by taking advantage of an open SSL bug and Bitcoin had already patched it, but name coin hadn't yet patching it required a soft fork and As soon as Peter Willa dropped that zero-day We started contacting all the miners and said hey you need to upgrade and activate that soft fork as soon as you can Well, a soft fork takes 95% hash rate to activate We were able to get 92% of the miners to upgrade the rest We had trouble contacting quickly and so finally we were like okay This is not good and then F2 pool contact us and said hey You know since we actually have a majority of name coin hash rate right now We can just unilaterally activate that soft fork for you and just reject any block that doesn't ever that doesn't ever I support for that soft fork And we were like okay. That's a really really bad precedent to set But at the same time we do not have any other options We'd really rather have that happen than have someone cause a chain fork That's really hard to recover from and so F2 pool did that and a day later the soft fork officially activated We reached 100% of blocks and so that solved itself because F2 pool actually helped us out So you know given that we were pretty sure they weren't going to attack us But at the same time it's good that now that can't happen again now the I think the largest mining pool that mines name coin has something like 21% of Namecoin hash rate or something along those lines. I haven't checked the numbers recently, but it's it's a lot lower than 50% Thank you. Thanks That was amazing, huh good questions Yeah, those were good questions Jeremy if anybody has more questions, where does he find you? So I can be found usually near the Monero assembly, which is somewhere back in that direction and Yeah, if and if And if you can't find me there at the Monero assembly You're welcome to email me although I should note I don't actually have access to my primary email account while I'm traveling due to the risk of You know having stuff stolen or something like that. I should mention that a couple years ago I got an email from Twitter saying hey state sponsored actors may have tried to compromise your account I still don't know what state sponsored actor that was but ever since then I've been really careful when traveling internationally Because I don't want to bring any of my standard crypto keys or passports with me So but yeah, you can email me and I'll get back to you when I'm back home in the US Alternatively if you want to contact me sooner than that and you can't find me at the Monero assembly You can join the name coin channel on free node or the name coin matrix channel and just ping me there I think I have three user names logged in there ping them all and I will hopefully notice that and get back to you fairly soon So hopefully that's enough options. Cool. Thank you very much. Thank you