 So we can start. All right, let's start. I'm very happy to introduce Michael Scherer, who is coming from Red Hat's open source and standards group, to give us a talk about, well, it was supposed to be a modern architecture. Now it seems to be a secure infrastructure. So, Mika, go ahead. Mika, I did the proposal in the evening, and I didn't have time to change it, so sorry about that. So if you wanted to see something about modern infrastructure, sorry, you can always leave. So as I said, I'm working at Red Hat, like a lot of people in the conference, so it would not be a big surprise. I'm a system administrator in the open source and standard team. We are the team distributing the t-shirt in the corner if you want to get more information or just t-shirt. And basically, we are helping various open source projects upstream directly for stuff like community management, project management, helping to organize events. Or in my case, making sure that the infrastructure is one working, two working in a secure way. And the problem I see is that we have a lot of upstream projects with a lot of developers taking care of everything. And well, to me, developers and system administrator are two different professions for one good reason, is that developers are not always a good system administrator. And system administrator are most of the time not good developers. So when you ask a developer to make a system in job, it usually does not end well. And for that, I'm going to speak about a short story which started with some project from Red Hat. I will not give the name, but this is a distributed file system. Hey, it's not like I'm giving the name. You have two of them. But two of them have the same problem. And it started back to September. I was tasked to modernize the infrastructure and see what was happening. So first thing you do, you start with doing an inventory. So it was quite easy. There was some stuff on Workspace. I just looked at what kind of virtual machine and everything. And then I started to look to other stuff. And it's like REL5, REL6, not up to date, but nothing serious. Some of them having no SSL for login. That's something I fix. And I start to look around how they are running. They are hosting as VM on some system somewhere in Canada. And I start to connect around. Because when you have an access, you just start to see if there is other access. If you can boons and this kind of stuff. And I discovered that this is basically three VM running on a Xen host. For whatever reason, I had access to the Xen host for one of the hosts. So perfect. And so one of them was called shell.example.com, example replaced by the name of the project I will not give. And I said, OK, it's not something we are using. I will take care later. I just write in the inventory there is this VM and that's it. And I was curious. I decided to start TCP DOM to see if there was traffic. And it turned out that I start to see pop3 in clear text. And I said, oh, there is someone that forgot a mail forwarder, and it's using clear text. It's quite bad. Maybe I should tell to them that they should do something. So I tried to connect to that server. I have no access. What do I do? I start to look with the VRSH, the Libre console. And surprise, I get a root shell. Someone was connected and forgot a root shell. Fine. And then I start to see what is running. And that's where things start to be bad, because there is a script called bf for bruteforce.php. And it was running, well, as you can see, 2,000 of them. And when I start to look where it was, no, it was definitely not something legit at all. So that's where I say, OK, there is a problem. Someone managed to get root on that server. It's OK. I can shut it down. It's not a server we are using for development. So I shut down the VM. And I investigate. Investigate, in the case of a security compromising, it's taking the whole disk and running with tools like guestfish and everything. And it will not be a whole story without getting worse and worse. So I start to see that the home directory is shared with the network file system, which means that, basically, anybody who had a root access could just inject SSH key to connect to the other server. Quite bad. I start to look that. I start to find that, well, some people forget their SC2 credentials in their home where some attacker could do something. I start to see that people started to forget their SSH key, which is quite bad. And, well, they were unencrypted, which is bad. But the worst part is that some of the key were the key to access to other server as root. So that's where we started to contact internal security to make a full investigation and an investigation. Basically, it was three weeks of work where I had to stop everything I had to do with meeting. And it went really up to the management chain. So it's something that we really want to avoid, so that I do not like meeting. But between meeting, I was doing work. And between work and meeting, I was sleeping. And the problem is we found more. Like, we didn't have more issue, but we did see that for the fall last year, basically around four people were connected from China, from Romania, from Argentina, and started to see a pattern, like all the country finished by A. But we were lucky it was just a script kitty. And then the question is, how did they got in? I mean, I would love to say that, oh, they were using the old A, using hypervisor bypass, and disabling SLI nukes, and a crypto bug door, and everything. And nope. It turned out that they were bridge forcing the password for 15 minutes. And I suspect that the password was likely secret, not like secret. It was not shared, like secret like this, because we had the Kickstarter file served over HTTP. So someone could just download and say, the password is this, as a comment, and yeah, quite bad. But hopefully, it was not sophisticated attacker. He uses his own IP somewhere in Romania. And he also uses work IP, some data center in Bucharest, and even worked on Romanian hacker form, you know. And he was using a PHP script for that. So it was quite easy to find where was the person. So we just decided to disable it, or did the whole infrastructure, and yeah. So the question is, how did we get there? And it turned out that when we acquired that company, for some reason, people left the company. Some people got moved to other department, and everybody was thinking that someone else was in charge of the server. And it turned out no one was in charge. So that's no one to blame. So, but my point is not to explain how it can go bad or everything. I finished, yeah. So yeah, the point is not to blame people because everybody is busy and everybody try to do his best. I mean, system administrator is a full-time job. It's not because you need to master how to play Quake and this kind of stuff. It's because you really need, well, to know how to do. But as I cannot multiply myself, or at least not in a way that do not take 20 years, I want to make sure that people know at least the good, the small stuff, not all the crazy security stuff of using two-factor authentication and VPN over VPN over VPN, and this kind of stuff that you see in movie with a gray, black screen and a green later. So what can you do to block this kind of small attacks? We are not dealing with NSA or this kind of stuff. I mean, I no longer have a problem with the government because they could just get the IP address and enter without trouble. So what are the easy steps for part-time system admin? So by part-time system admin, I mean, all the developers that had the bad idea of installing something and said, oh, it will be okay. It will update itself. Nope. So when I discussed with the internal security at Fredat, they said that if I need to do something and only one thing is to disable SSHFoodPassword. So I just want to make sure that if any of you there do that, please disable the SSHFoodPassword. You can use SSH key and everything. It's more secure. There is no risk of boot forcing. It works quite well. But why did you do not let your SSH key all around? But I mean, that's basics. If you want to be more secure, well, you can use disable the same for user password. It tends to be maybe for some time a pain in the ass and everything. So maybe do not do that. Something that people tend to do is to use a different port, which is nice except that we discovered that each time you make an NTP request over IPv6, there is a search engine called Shodan that will scan you back. So suddenly, your perfectly working security measure is listed in a search engine for all kinds of stuff. So people can just search for SSH server. So let's say that it's completely useless. Not to mention that sometimes you go to Confluence and sometimes you are in Confluence and you are hosted by university. And some universities are blocking all kinds of wear port. It happened to me last week. And yeah, when you cannot connect to your server to do your job during your Confluence, it can be bad. Especially when the same university is also blocking VPN and all kinds of stuff like this. So just use standard port. I think it's good enough. Something that people also told me to do is IP limitation, which is fine when you do not move. And it's fine when you have a fixed IP. And when I'm traveling too much, I want to get help for other people who might be from some country where there is one single IPv4 for the country, for example, like Mongolia, or get one IPv4 for one million people, like most of the country at the moment. And there is fail to burn, which I do not like because the probability of shooting my foot is non-zero. And I mean, if people try to connect to the Fedora, people's Fedora server from here is blocked. If there is suddenly someone managing to just do a port scan, everybody will be blocked. So not good. So just for SSH, which is really the basics. That's all the kind of stuff you can do, but just do the first, it will already be great because all the compromises I had to do deal since two years with this kind of stuff. Sometimes it was just me, like forgetting that there is a test-to-test user, well, okay, my fault. If you want to do more, and if you want to help the security team and me, something that you can do, and which is not hard to do when you have the resource, but you know, we are all about cloud and this kind of stuff, so it's easy to get VM. It's doing central login. So central login is something which we have, like since forever, or more than 10 years, which is equally the same. And you just say, okay, if someone connect and get access to that machine, we still have a copy of everything because the attacker we had was not sophisticated, but he still managed to break havoc on the server. So we had to use some tools to get back the file he erased to see where he connected from. So it was not that bad, but not that smart because we could get stuff. With that, it's not supposed to be able to connect to the remote server. And that's it, you do not need to, you can keep them for years and years. Ideally, if you want to do stuff properly, you need to use TLS, which is supported since a long time. But the problem is doing certificate is hard, like really annoying. Each time I need to do that, I Google for the answer on the same exact page and I'm too lazy to make a bookmark. And so we have a product inside Red Hat called Doc Tag, which is a ship with a free IPA. And yeah, I was planned to doing one hour of saying, oh, free IPA is great, but I only have 40 minutes. But it's like one single command to install. Like you run the command, you say, I want this password, this password, and it deploy everything. Probably did you use a CentOS 7 or CentOS 6 or even, well, let's be corporate. And one command for each server to enroll them. It's like, add the server to the LDAP and that's it. And for that, you get LDAP. You get Kerberos. You get certificate with automated renewal. And it's all working directly. So how does it help us? Yeah, first before helping us, you need to make sure that you get a copy because it will start to be critical. So the same, getting a replica is two command. One command on the first server, one command on the second server. And now we have two server. Well, how does it help us? So first, it brings a consistent policy. Like people have the same password everywhere. And since they have the same password, they have only one password to remember, not 20 different passwords, and they all become tests on passwords or this kind of stuff. It helps to close account. We did add a few people from that company we acquired that left, but they still had open account. And that's problematic because if someone starts to connect from a random IP, no one is gonna see that. If they need to change their password, no one is gonna change the password and everything. It helps to manage the pseudo access on Twally because again, there is basically five different ways to distribute pseudo policy. And the project was using one way for each server. So I had to do the audit for the first way, for the second, for the third, et cetera, et cetera. It's quite fine because I did learn a lot of stuff. But at the same time, it's bad because you do not know where to look for access. While with this, you can just click and remove everything. So there is a web interface because not all developers or part-time C-Sanmin are okay with a complicated man page and this kind of stuff. With a web interface, you can directly see everything. And it kind of provide you some kind of inventory. So you can see all the server you have, you can see what are their name and everything. Which then bring me to the second part, which is configuration management. So I do not know if people were in the talk this morning about the new stuff like configuration management is dead. Well, I think it's not dead, but I have no one to troll in the room. So just pretend that you see that. I tend to recommend to use something like salt and uncivil and mostly uncivil because they are really easy to start. And you need to make sure that if you are not a full-time automation engineer, you do not need to do everything. Like you can just deploy SSH config and that's it. That will be sufficient. You can do the rest by hand or this kind of stuff, but you can just do that. Make sure that people cannot connect on wood. I mean, I did the full presentation to make sure that people remember that. So please remember that. Ideally, you should make sure that SLI NUX should be on. Not because it make a Dan Walsh whip, but because it's good for security. The problem is people disable it because they do not understand. So for that, there is two things. First, you can use a standard pass. It's nice that you want to get your website in the slash home slash website, slash my website, slash dot com, whatever. But if you place it in slash var vvv, SLI NUX will do everything for you. And the second thing is you can trick SLI NUX with Boolean. You can decide that, okay, this part is too complicated rather than disable everything. I can just change the policy or I can disable part of the policy and that prevents some exploitation. During the problem with the file system, the distributed file system that shall not be named, we did see that the attacker could have access to the download server. And the good part is that there was no SSH key leak because the download table were not signed. So we had no way to verify, we had some way to verify the download server but not so much. So now I'm setting something which is called Tripwire or ADD and it just checks a directory and make a checksum of everything. And you keep that, you put it on another server and it alert you if something is changed. Like if suddenly someone changed the table, you said, hmm, there is something going on. It's not complicated, it's like just a cron job and a SCP and it can prevent some problem because we had in the past, for example, I think 10 years ago for ERC, we did see TARBOL, for example, for Juniper and all kind of stuff and this is an easy step to prevent that. On the side of the code, well, I would recommend to make mandatory code review because if someone managed to push a commit on Git and there is no code review or anything, it's bad. Someone could get access to your laptop, push and nobody will remember anything. So if you force people to make a GRIT artist kind of stuff which is part of the good process, you also improve the security, you make me happy. Ideally, if you can send a mail on commit because suddenly if you see that when you are on holiday, someone is committing a backdoor.c file, maybe it will be suspicious. And obviously, you need to use SSL, even if it's something that do not count, like, oh, we do not need to have a SSL for our Jenkins server because it's just some password. Yeah, no, when the password can be used to connect to the server, nope. So SSL is dead use, it's annoying, but we have let's encrypt. So it's now in beta, it's now in a well seven and in Fedora. You basically have no reason to not use it. It's easy to integrate. It's just one cron job and one apache of snippet that I will be able to, that I wanted to show, but nobody can, nobody will reach it on a paper or anything. And it take care of everything. It automatically update the certificate. And speaking about automated update, something that you should really do is to make sure that you update all the package. And for that you need to make sure that you are using package. If you start to use a self-installed WordPress or this kind of stuff, it's a recipe for disaster because it works, but no one is updating it. And suddenly someone starts to get SQL injection, get on access to the server and you are not using SLNX and you are not updating the kernel. And suddenly you are root and I spent three weeks starting to investigate everything and it do not make me happy. And sorry, I was faster than planned. So if you have any question or if you want to debate about all kind of controversial stuff with me, I will be quite okay. And if not, I'm also okay for 20 minutes of uploads if you want. And if you want to contact me later, it's quite easy. You either send my email or my IRC. And if you try to get me on Twitter, Facebook or LinkedIn, it will not be me. So any question? Yep. I'll just throw it away. Okay. So the question is, what do you think about SSH figure print? Because there is sometimes man in the middle and if I have a solution for centralized fingerprint management. I think that free IPA is doing that, getting the SSH fingerprint from everything. I'm not sure if it publish that directly on DNS, but you can publish the fingerprint of your server in the DNS and ask to SSH to verify. So someone has to make a man in the middle between the server and a man in the middle with your DNS that can be secure with DNS stack. So in practice, I think it do not happen. I mean, I never seen anyone speaking to me about SSH man in the middle in the wild. I mean, we know that technically it could happen, but it's more like when the government is trying to get you. And I don't say it do not happen, but I said that for now I'm trying to fix when the Romanian script kiddies are trying to get me. Rather than the top hacker of whatever government is going to go attack the project that shall not be named. Now the issue with fingerprint with man in the middle is that it will only work if you enter your password. If you are doing public and private key cryptography by using SSH key, I do not think I'm not a cryptography specialist. There is a few of them are likely around, but not me. So if someone wants to answer, feel free. But I think that you will not reveal anything by connecting there and trying to send your... You are not sending your private key, you are doing some crypto operation and if someone pretend to be the server, they will not be able to get anything from your laptop. Unless there is some timing attack or this kind of stuff which are much more complicated for my knowledge in cryptography. So it should be okay even with SSH key. You will see that there is something going wrong. And if you get the prompt, try to connect another admin, say, yeah, did something did change or is it normal or try to connect from another server to see if it's the same. Because indeed sometimes it could just be some stupid gateway like you are in a hotel and there is a captive portal you connect by SSH and the captive portal redirect you to its own SSH port. So that's not really an attack, but that's how it can happen. So yeah, I hope that it answered the question. If not, I can just pretend to say it did because I have the mic and you don't. Thanks. Yep. Yes, I did a non-cable playbook for that and it's working quite well. The biggest problem with the let's sign crypt is that you need to, for HTTP because I didn't play with other stuff, is that you need to serve some secret... Oh, so yeah, I do have experience. So for people watching the stream, the question is about running a let's sign crypt in a container and I forgot the rest. Basically, it's not my fault. The question was too long. So yeah, the problem, so your problem is that it's not what you have a container that is running let's sign crypt and you are redirecting when there is a dot acme, well-known, whatever for let's sign crypt. So basically it's a reverse proxy that is running in a container between your server and this. So that's not something I've done. I'm surprised to see it's not working because that's the exact architecture I wanted to use because I did add a lot of other tips and stuff to say but it was more complicated. I was really aiming for the easy stuff. Yeah, I think we should talk afterwards because for me it's working but it's directly deployed on one single server and yeah, I cannot see why it will not work. I mean, what I do is that I get a redirection from HTTP to HTTPS except for that specific, for that specific well-known URL. So maybe if you are doing in a different way that will be different but I would really need to see what you are doing to help you but we can do that after, except that after I have a lightning tool so that will more be like tomorrow or if you are going to Bruno downtown I will be there somewhere to try to spend my check-found. Yes? So the question is, how do I deploy free APA with Ansible? No, what kind of configure? Yeah. So that's a question mostly about Ansible. Basically, how do you do a good design for getting access to the server? I personally have one server which is a specific, secure server with a root key that can connect to the server and when I cannot, well, okay, I'm lazy, I can connect directly as root to the server but the goal is to not do that later like when I will be less lazy in maybe 20 years but in a needy world you will not get access, you will have access only from a specific SSH key with all kind of protection like limiting by IP because it will be on a server that do not move and that server is running Ansible and connect to all the server and the way I done is that when I push by Git, it trigger some kind of script that connect to a specific user that deployed Ansible and everything and that deploy also with Chrome. Another way to do that will be to use Ansible Poll where you are not connecting a goal, it's a server that downloads a playbook and run it. The only problem with that is when you start to have a password that you want to distribute because you do not want that to be easy to download by anybody so you need to set up some kind of a GPG stuff or using something like Vault or the free IPA feature for distribute the password which is working well but you still have some kind of bootstrap problem but we'll let that as an exercise for the reader. Yeah, exactly like what the Fedora infrastructure is doing. No, yep, another question. So the question is I mentioned Salt and Ansible on the slide and is it some kind of, is it example or is it a case where I can combine two and the answer is yes for both of them. I'm using Salt for that specific project but I prefer Ansible, I'm doing some work upstream on Ansible like fixing all the kind of crappy bugs that I find or sometimes that I do add myself and but you can also use Ansible over Salt which is quite a nice trick but I will not speak about it because I'm doing a lightning talk on that topic later. So no, it was mostly just an example for what I use. I use Ansible, I use Salt, it could be Puppet, it could be Safe Engine. It's just that Salt is quite easy to get started and it covers a lot of stuff and Ansible is easy to get started while Puppet is getting more complicated to install, Safe Engine is not even packaged and this kind of stuff. So I recommend for people who are really new to system administration to start by that because it's simple and if you want to get something complicated, sure, we can find something without documentation and this kind of stuff if that's what you want but maybe you want to do your job and Ansible it is. So no other question, we still have 10 minutes so you can ask me anything. I can speak about Python developer or about French policy, about dance, about nothing, whatever you want. Yes? So what do I think about changing the SSH port? I think it's, well, on one end it works because you avoid most of the scanner. On the other hand, well, sometimes you get blocked. There was one slide on that and I know a few places where I go to work like university or library where you cannot connect on anything where you cannot connect on any port or not at all port and you can connect on port 22 because there is a sysadmin and I know that people want to do SSH. Sometimes you just can't. So I prefer to avoid doing that but a lot of people like. So it depends, you can try and if you see that you are blocked, well, then you change it back. For example, inside Red Hat, we do have something which you have one specific box in the data centers that do cache and when you try to connect on SSH port 21, it try to see that it's not FTP and it do not work. So we have a Garrett server which is listening on the port 22 and we had the SSH listening on port 21 and suddenly it was not working anymore and people were not able to connect and they say to me, yeah, there was a problem. I said, nope, it's working for me because I'm working for home. There is no one doing man in the middle but from the office, it was the case and we discussed with network team and said, oh, you are using the FTP port for something which is not FTP and the DPI stuff is detecting that and blocking that so change the port and it was okay because in this case, we did detect quite fast but if you discover that at the wrong moment and you cannot connect to the server, it can be quite bad. Like when everything is broken and you cannot fix it, it's something you want to avoid. Yes. It's not about, so the question is I mentioned fail to ban and that I do not like it. It's not, there is better replacement but I do not use it so I cannot tell the name. It's just a concept that I do not like that someone could just connect from the same IP as me and just block me on my own server. Now it's efficient. I know that Fedora was using it. The problem is that Fedora was using it but they were also getting a lot of false positives like someone in some country, let's say Belgium share an IP with someone who has a botnet and they cannot connect so they go see the admin, the admin sees that the IP is blocked, unblock the IP and this kind of stuff and it's consuming time that this admin prefer to spend discussing on IRC or posting on a slash dot or this kind of stuff. Which is bad. Yep. So did I try to use spark knocking for firewall and everything? No, I think it's fine and it's quite fun but I do not want to use some complicated stuff that require me to connect as root or something like this each time I want to connect and the more TCP port I need to connect the more I risk them to be blocked. It's fun. Well, it's nice. It's something that all security geeks try but I think that in practice it do not improve that much security because the problem was that the password was weak. So I need to fix the problem at the root cause which is get a good password or do not use a password. All right, yep. Question? Nope. Yeah. Yep. So for backups, you need to, it depends basically on, you need to make sure what you want to backup how much time you can, basically how much resource you can spend on that because if you have unlimited storage then okay, make a snapshot of your virtual machine every hour and store that on your petabyte of storage. It's fine. Most of the time you do not have that so you need to be smart. Like is it okay if I have only one week of backup for the log? Do I need to make sure sometimes backup are not the solution? More it's about making sure that the data is replicated in several place which is fine unless someone remove something but it really depends. You need to look at what you need to do. You need to make sure that it's replicated in different system. If you can get something that has a net up as a nice system where you can remove a file and it's not really removed, it just disappear from the file system but you can still get it. So if someone make an error like you want to remove a world directory you forgot a space who erase everything. It's quite easy just to get it back and it's a self service again. This admin do not like to be disturbed so if it can be self service for the developer it's perfect. And sometimes you also need to make sure that you can restore backup because it's nice to make backup but if you discover that you cannot restore anything like oh I downloaded my whole database but I forgot that everything is encrypted and I didn't save the encryption key while you are tested. So you need to make sure that you can restore. You need to make sure that this is documented because obviously when you are doing the test it's okay, you can take your time. When everything is broken, the production is broken and people are just asking every five minutes on is it working, is it working, is it working? You tend to be stressed quite a lot so test the backup, automate them as much as possible and make sure that the backup are secure because you want to protect the data but at the same time the data will also be in the backup. So not everybody needs to have access to that. You need to make sure that you are using redundant hardware and everything and make sure that if something is broken on the backup side it should be treated as a production issue because maybe your hard drive which is broken on the backup right now is the same brand of hard drive that will be broken tomorrow on your production server so make sure that you get everything fixed right away and yeah but that's basically the standard stuff that you can get from the literature and everything so I don't have anything special. Yep. So am I using a network vulnerability scanner now most of the time? Clearly I should do that but the problem is that there is a first lot of false positives and I was focused on the security rather than finding some stuff. The problem I have at my job is that I get some servers that I didn't install and I need to clean them and reinstall them so a network vulnerability scanner would be able to show me that indeed there is a problem with the firewall or this kind of stuff but I'm not there yet. Once everything will be secured yeah it will be good to get another team to do some kind of penetration testing and everything and we do have a team inside whether doing that and from time to time I fantasize about having free time and being able to organize an event like this but I do not have free time but if you want to do that just send me an email then send me, send to me, I'm gonna scan everything. I might be hungry or not depending on my mood but you can do that and report me any kind of error you find. So yeah. But I do not trust that much these kind of tools because sometimes they can be quite destructive and that's not something I want to do on the production server. Most of them are sitting but then they try to find some crappy stuff like oh my god, you have the SSH banner so we know it's running SSH. Okay, yeah, thanks. But that's not a vulnerability. So yep. So the first question is I have like all this admin well all people too much email and specially by logs. No, I do not check logs because I do not have time in an ideal world I should have something but it's more to check when something goes wrong which is bad because I did see a presentation from one of the NSA manager who said that well what they fear is that someone looking at logs because they see that someone thing fishy is going on most of the time this admin do not do that and I do not do that because I do not care. It's not that I do not care. I don't know what to look for. I do have a monitoring and everything to warn me if suddenly a selenium is disappeared most of the time it's me who removed it but it's this kind of stuff but that's something I should do. Yeah, but I don't. And the second question is do I use a snort or? Ideas? No. Again because snort most of the time first you say yeah great I'm gonna see if someone is trying some complicated attack on my whole infrastructure and then after one week you just see that everybody is pinging your server and doing all kind of end map from let's say China because they have a lot of IP address and you say okay ignore, ignore, ignore and you never have anything. It's mostly like something that make security geeks quite happy but in practice it's a full time job just to check that. And yeah, most of the time you do not have that. You do not have the time. Again if you are part ICs admin it's not your full time job so I would not recommend to do that. The other problem with this kind of tool is that snort for example require to run as root or have a privilege to be able to inspect the package and you do not want to have something that get a random binary package from the internet to run as root because parsing and all kind of stuff is where most of the problem are and so that's where, I think I finish. So I will finish that question later and thanks for coming and see you later outside. So many questions after talking. That's a good question. Oh, nice. Yeah. I want to catch up with you. Could you please give me your slides? Oh yeah. So I didn't know that you were there. I was there at first time as well but I was at the stand and I was running around there. I heard you were there at first. Okay. Yeah, I need to sit down with you sometimes. I understand some stuff. Okay. Okay. Pardon? Yes, sir. I'm here. I'm here. I'm here. I'm here. I have to go about that. Seems it works. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. I'm here. If only the speakers will make it. I'm here. Where's the speaker? Thank you, I'll buy it for you. Thank you. Sir, why are you trying to take the minute to please me? Keep my speakers away from here or They might notice it. Okay. I was supposed to go. Hi! Hi, sir. We're here for the first twoullионals. My tickets order is four. I think Jan started it first. Yeah. So I'm here. Okay. In fact, I was presented to all of them, and when I came back, it was like I was back in Hunza, from those beds. This is a soloist. Yes, it's a soloist. Yes, it's a soloist. And here is Shalu. Great. How is this going to work? Yeah, I mean, there is like order, so like the first speaker is him. So, and then like the session chairs will always call out, you know, so these guys will always like call out who is presenting, and like announce the next slot, you are going to, you know, come in, plug your laptop and have 10 minutes for your talk. Or is there a dedicated machine? Or you can, yeah, I mean like if you want... Mine is a Google Doc. Yeah.