All right, that's it, let's the talks begin.

Speaker number one is don't make it fast, make it real, AHP. Yeah, so a very quick talk on real-time. So there are many terms related to real-time systems

and they often get mashed up in many talks I've heard here in discussions and so on, so just a few quick starting points. So real-time, in normal computing systems, you look for logical correctness. So if you add two and two and you get four,

if you're not in an Orwellian country, then it's correct. In real-time systems, this result also has to come at a specific point in time. And this is the temporal correctness. So the timing aspect is usually given through some kind of deadline,

just some defined relative or absolute point in time when the computation must be ready and the output exist. Often in real systems, this occurs periodically where usually the period is identical to the deadline. So every five milliseconds, you really need to have computed your next motor position, for example.

There are characterizations of real-time systems. One is soft real-time, which you usually want for audio-video systems or some live ticker for your favorite sports game. There it's important that it is kind of soon enough after the event has happened, otherwise everybody else is cheering

and you are missing out. On hard real-time systems, think of robotics or actually any moving physical object, the motion usually has to halt at some point in time. And if it's too late, it will crash into something. And crash, I don't mean restart it, but kind of remanufacture it.

So some basics, some basic terminology. Resolution is the question, how fine of a distinction you can make. Precision and accuracy are two different aspects. So you can have a low precision and a low accuracy as you see in the top. You can have a low precision and a high accuracy

as you see in the bottom. And of course, make the other two combinations. And the ideal, of course, is high precision and high accuracy, which is a typo in the slide on the bottom right. So this is now spatial, but in real-time systems, you have to transfer this visualization to the temporal domain.

So you can have systems that have a really high temporal accuracy, but a low precision which may be acceptable or really bad. So speed, what I usually see when people say, oh, this is so fast, it will be real-time capable is that they run their function in a loop

a billion times and measure the average speed. But what we really have to look into is the worst case execution time, especially if you have some fancy non-deterministic algorithms, this becomes important. So on the plot on the bottom left, you see a couple million iterations of a function

and the time it took to complete them. So the average is really good, but you have those three spikes which are the worst case execution time or oops, the robot just crashed into the table. That's why if you think about functions or systems that are capable of real-time, please do not only look at the average,

but make a histogram of all the runtimes and there you really don't want to have a large deviation as on the right side. So we are looking for determinism here. Networks, of course, at the Congress, I don't have to introduce the terminology here, too much bandwidth, just amount of data

transferred to time, latency, the duration between the data has been sent and when it has received. Chitter is the variation of the latency and the cycle duration you always have once you have a system that has to exchange data repeatedly.

So an RS232 serial connection really has a low bandwidth but also low latency and a very low chitter, so it might be actually a good choice. You usually TCP IP over Ethernet switches is high bandwidth, has an okay latency, okay chitter depending on the utilization of the switch.

Fieldbus systems that might rely on standard Ethernet reduce the bandwidth but really make sure that your latency and your chitter stays in the specific amount. And I'm running out of time, obviously, which I knew, but the slides are also for reference.

The quote by Tannenbaum, never underestimate the bandwidth of a station wagon full of tapes hurling down the highway. Yes, high bandwidth, but really bad latency and bad chitter. So, the same is true for latest scheduling. Three, two, one. If you are interested in the slides,

just send me a mail, I'll also put them on the wiki, so this is meant as advertisement for a quick look up slides for real-time systems. Thank you. Thank you.

All right, we will continue with the next talk, avoiding singularities in robotics, in four by three ratio.

Okay, so thank you for being here. We're gonna talk about robots, so I assume you all more or less know

something about them. There are basically three types of robots. We have parallel robots, serial robots, and hybrid robots. You probably know these two, these few platforms. They're known as parallel. They have basically good payload to weight ratio,

so they can handle heavy things. They're fast, but they often have a small workspace relative to the size of the machine. The workspace is also segmented to different works, smaller workspaces because of singularities.

If you know the DEXA type robots, you've probably seen it. There are many, many types of parallel robots, all trying to avoid the singularities. We have some really strange architectures, but there's always some limitations.

We also have, wait, let's go here, serial robots, which you know, they have a larger workspace, which is also segmented so motions are not possible. If you go see this video, there's no URL.

Okay, maybe it's, I see what went wrong. Old slide, sorry. So, they are quite slow and they cross singularities. Also a big problem, we don't want singularities. So, that's a new type of robots, which are,

where's the thing? I don't see the light. Oh, here, okay. Yeah, with those type of robots, maybe you've known them, they're anthropomorphic. We use elastic elements in series with the actuators

because they're highly synergistic and those elastic elements make structures really shaky and not appropriate for industrial use, for example, living heavy loads like cars and stuff like this. So, what do we do? We drop away parallelism.

We drop away singularity, access alignments and we screw everything again. We base structure, we use a structure based on

tetrahedrons and I have some accessories here. Yes, I made a model with marshmallows and yesterday it was too soft and now I'm afraid they break because they're dry.

So, if you have a swing like this, it's not a very pretty swing, but it will work.

Okay, that's a swing. It stays, now it's happy. If you put like this, it falls into singularity, one way or the other. So, what we do is we take many swings like this

and we have one triple swing, which is falling into a singularity. Then we have a double helix, same like you're putting like this, a swing, which is also falling into a signature, but on the other side. And then you have a triple helix,

which is completed by doing the, with the passive elements. It's interesting because you can adjust the stiffness. You, instead of having singularities,

which you must cross and go around, the targets and the current position become the singularity. So, the robot will travel to and from the target in a spiral fashion and. Five, four, three, two, one. Thank you for being here and I hope you like it.

Thank you. The next talk is Cnaps, also in a four by three ratio.

They stole the clicker. Do you still have the clicker? Wait, wait, wait. Actually, that's the last slide.

All right, let's go. Good morning, beautiful people. So, I'm talking about Cnaps. It's basically a block chains, arts and people.

So, a quick rundown. It's gonna be a three day festival in September in Leipzig, which are 12 concerts so far, eight workshops, two conference tracks. And you're wondering, what? Block chains and smart contracts are touted as one way to have fair compensation and creative labor.

We can also see it at the Congress where we had two block chain lightning talks and the easy cash talk by Pesco yesterday, which I highly recommend. And the whole setup we are running is basically a fog of Lissiers Electronique from Toulouse. Okay, a few people know about it. So, why?

We want to explore better payment methods in the future. Also, we want to have a real world use case for experimentation and a use case that not limited to ransomware payments, financial speculation or drug trades. And also, since everyone sort of seems to like block chains, we want to see it like let it shine or let it crash.

So, how? We currently have bold wallets which are tied onto wristbands. There will be contracts between participants, which means there will be percentages hashed out like how much gets the artist per performance, how much gets the staff, et cetera, et cetera. And we're also integrating with the local economy.

That means we have already talked to shops, et cetera, so we can not only pay at the festival, but also for stuff outside the festival. So, we want you, we want you as an artist to work with current technology. We want you as a hacker to play with block chains on a larger scale, also with smart contracts.

We want you as a supporter, which means you contribute whatever you can, not only imaginary cash, but also hard cash. And also as an attendee, just come hang out, enjoy the festival. So, there's a really bare bones website up. If you think you can make it better, come talk to me. There's an email, contact us via email.

It's the best way to do. I'm sitting in the front. Otherwise, probably the BSD assembly. And that's it. Thank you very much. I told you it's fast. This is what happens when you promise a speaker a cookie if he's fast enough.

I hope you have a cookie now. Where's the cookie? Where is it? All right, next talk is Panoptikum, 16 to nine ratio this time.

Hello everybody. Welcome to five minutes on Panoptikum. What is it? It's the podcast social network that we all want to have. Who is listening into podcasts already? Please show hands. I built this stuff for you to find new content and to share your experiences with the others

who has not shown hands. I built that network for you as well to get into podcasting. So how does it look like? It's a colorful website with lots of categories, with lots of assets. We have some features already.

For example, currently we have 77 categories, 630 podcasts in and more than 50,000 episodes already listed. We have features for easy access to episodes. You don't even have to use a pod catcher for it.

You can listen with a web player, with a modern one in double speed, whatever you like. We have a responsive layout so you can experience it on your smartphone. We have full text search and you can see lots of more stuff. For example, you could recommend to other folks

their chapters of episodes that you like in particular. If you are willing to subscribe, we have more features to you. For example, a feature listeners of the podcast you listen to also listen to these following podcasts.

Again, displayed in a very simple accessible way, just clicking and two more clicks would bring you in the first episode. And you can listen to the podcasts immediately. What's the roadmap? Public alpha is out already since October. We switch now to public beta

so we are really invited to use that stuff, test it out. Let's see if it can hold your load and we will go live in summer next year. What are future features? There will be messaging between users and podcasters, community driven categories have just been established.

There will be audio comments. There will be a public API, UI improvements and lots more stuff to come. You could send in wishes as a podcast listener. Obviously, we are interested in feedback. You could file feature requests if you are maybe already a podcaster yourself or you could even contribute as a developer.

We are completely open team. If you are into functional programming, we are using Elixir and Phoenix and yeah, just join in the team. We are international, quite small yet, but an open team. Yeah, how can you find me?

Just go to the website. It's panopticum.io. You find all the details and concepts there or if you're interested into podcasting, just come down to the podcasting mentee table which is right behind Send It Centrum in the ground floor. Yeah, that's my talk. Thanks very much for your attention

and get into podcasting. Thank you. We didn't promise him anything. So, the next talk is going to be in a four by three ratio. The other side of the incest for both.

Hey, I'm gonna talk very fast, so listen up. I'm, one sec, okay. I'm Luis Fabu, the other secretary of the tinkering to come. As you may or may not know, the tinkering to come is a movement interested in the gathering and use

of pieces of and for the tinkering. We tinkerers are using all kinds of wonderful things, not just technological, but further most cultural artifacts and practices in other ways that were forecast by their engineers and as such, we feel quite welcome here among hackers because one could say you tinker too. Today, I want to talk to you

about tinkering with your personal relations to maximize your degree of freedom when you're walking away from this gathering and out into the wilderness out there that is called civilization. So, this is a photo of eight month old me already looking quite fabulous. Notice the sense of wonder on my face and the already quite dedicated hand posture.

The point of this picture is that the difference between me then and now is that I was alone. Alone in the sense that I didn't have any peers. Alone in the way that many of you here can understand. It is because of the dwindling birth rates in the West, people tend to have less siblings. I for one gained a brother about 16 months later and it improved everything in my life dramatically.

But let me explain. Siblings are not only wonderful people, the sibling relation is ruled by deeply embedded cultural principles and is something almost everyone has an understanding of. Basically, you get thrown together with another random person with the same mother of roughly the same young age and then you're allowed to get to know them

as deeply as very few other humans. You will go with them through important events of yours and their lives, the good ones and the very, very bad ones. Unconditional love and solidarity will be expected of and societally enforced in siblings even if they seem at times to be very evil creatures. And much more important,

your desire to not be alone in the aforementioned wideness will make you stick like glue to them. In most cases, it will work until death lets you stand at their graves or vice versa. And most of the times, I spoke to many siblings, old and young, it will have been more than okay. But there's power in the world

and power rules supreme at least for now. So this is a photo of the French intellectual and ethnologist Claude Levi-Strauss. He first described what we now call tinkering academically. In his book, The Raw and the Cooked, he wrote about, we are getting there, the origin of the incest verbote and characterized two parts.

The ban of endogamy, meaning sexual romantic relationships between siblings and the bid for exogamy, meaning the expectation of society for you to look out to form such relationships with the ones you are not related to as your top priority in life.

Other way to say it would be incest is what you call a taboo. You shall not have siblings that are not related to you by law or blood. And on the other hand, you shall not form monogamous romantic relationships, you shall form monogamous romantic relationships wherever you can. This is obviously what you call a naturalistic principle.

We of the tinkering call it an ideology of romantic love. This is a picture of Jacques Derrida. In his book, Politics of Friendship, he asked two questions, why we limit relationships to blood or eurydical relation and why we limit our ideals like liberty, equality,

fraternity with gender norms or the patriarchy. He proposes to form relationships more creatively and free the ones we tied to power by excuses like biology or the law. In other words, why not have unrelated siblings if this is already a well-established and good kind of relationship that you could wish to have with people.

To conclude, we who are of the tinkering propose to neglect biology and the law and to form relationships of love and solidarity by embracing the other side of the ban. Because what remains is, you can make every other your sibling by consensually subscribing to the taboo, the ban and the bid. Artificial limits make art.

Lastly, I have to disclaim. Through hard times, good luck, a few leaps of faith and of course consent, I acquired a sister myself a few years ago and we defend this relationship ever since. She's an other unrelated and maybe younger than me but she's my older one. And it was the best thing in a long time that happened to me and it was, as I explained,

tinkering, which is the greatest thing in the world and you won't get a picture of her because you would hate that. Thanks a lot. Thank you. Next up is version control. Thanks. Next up is version control for writing musical notes

and it's in four by three ratio. How does this work? I never had such a thing in my hand. Just press the right button. So I don't have a product. I have a question, which is how to use version control for writing music

and I mean by that for composing, not for engraving music because for that you can obviously use Lily Pond. Once you have done anything with version control, you also want it for composing because composing is actually a lot like coding.

You try out things. You do test some things you like, some things you don't like. You want to get back to your earlier versions, so you totally want it because everything else feels like Stone Age. Yes, and when composers who think in musical score, as opposed to composers who use loops or graphic notation or other things,

they think in musical score. When they compose, I haven't met one who writes Lily Pond code. Like they really want to write notes, so you want to use a WYSIWYG editor. The best I could find so far was to export, so I used MuseScore to export MuseScore on an SVG file

and there is an SVG diff viewer on GitHub, which could be like, this would be the closest to a solution that I found so far, but there's a problem and this is that musical score is justified print, so all lines are the same white and if you change something in a line,

it changes the whole line and it's likely to change the whole piece visually. So there's an example. If you look at example number one and two in the upper line, like in a treble clef, it's the same notes, but you have to compare them one by one. So if you would use this in a diff viewer for SVG files,

it would not be of any use. So my question is, how can one signify what has changed? Does anyone have an idea how to show a diff on musical score that works with a vis-a-vis editor? That would be great. And if you have an idea, please talk to me.

So GSM is 2318 or Benjamin Vaunt on Twitter. Thank you. Thank you. We still have plenty of time, so maybe if someone in the audience has a hint for you right now.

Anyone, please stand up. No. Then we will just continue with the next talk. Which is financial surveillance versus responsible journalism, also in four by three.

Hi, my name's Tom. I'm a data journalist at a newspaper in the UK. And data journalism can mean lots of different things, but for me, it's not about visualizing data and making interactives. It's about doing investigations

and finding stuff out using data. And I'd like to tell you a bit about something that I've investigated recently, and a little bit about how I did it and what I found out. And it's about financial surveillance. And in particular, it's part of this financial surveillance system that's evolved since 9-11,

in which banks are told you must not provide services to terrorists. That's quite self-explanatory. There's also been a push to tell banks, you must keep an eye on politicians who are using your services in case they try to launder corrupt funds and if you do that, it's your fault.

So in order to allow banks to fulfill these obligations, there's this database called World Check, which is compiled by Thomson-Royces. They use open sources such as sanctions lists, reports in newspapers to compile listings about people.

I'm not the first person to have investigated this database. There was a story by the BBC about a mosque in London, which had found its bank account had been closed inexplicably. And they noticed that they had a listing on this database, which had connected the mosque to terrorism incorrectly. Then earlier this year, Vice News did an investigation

into the sourcing of this database, which found some problems. So I'm gonna have to speed up. Over the summer, some security researchers in the US, Chris Vickery at MapKeeper, found a copy of the database on an exposed internet site with no authentication whatsoever. So I thought it might be interesting to take a look

to see if we can find out more about the problems with the database that have been reported on. So before I did that, I said, why do I want to look at the data? I've mentioned that. Is it ethical? There's information in the system about individuals, it's personal information,

but we are trying to serve the public interest and establish problems with the database. Is it legal? You might think that because the information is public, that it's fine to just look at it. That's not true. The Data Protection Act still applies to already public information. So we had to establish that there was a public interest

in doing this. I wrote a Python script to load the data. It was a four gigabyte line-based JSON file, and I kind of flattened that and stuck it into Postgres so that I could query it. Then I did things like select all the entries where the biography contains the word activist,

because we would not want activists generally to be in this database of terrorists and senior politicians. I also, I needed to see exactly what the database looked like to banks that were using it. So I went to Google and did a file type PDF search,

and I found actually a printout from WorldCheck that someone had been stuck on a public webpage. And then I also thought, I noticed an entry where all of the entries list the web pages that they've used to compile the information. And I noticed one of those was a weird conspiracy theory website. So I went and found a list of conspiracy theory websites,

loaded it into my Postgres database and did a join to see if there were any other conspiracy theory sites mentioned, and there were. Finally, I needed to confirm which banks use this. They say in their marketing material that 49 of 50 of the world's biggest banks use WorldCheck,

and I wanted to make this relevant for my UK audience and confirm which UK banks were doing this. If you ask any of the banks, they won't tell you anything about this. So I went to LinkedIn and searched for WorldCheck site LinkedIn.com, and people gave quite a lot of information about how they do their jobs on LinkedIn.

So this guy has mentioned that he uses WorldCheck while he was working for Barclays. And then this is how we told the story. We focused on some specific examples like this nine-month-old baby who was the child of a minor member of the royal family, was included on the database

as a politically exposed person because they could be a money launderer. That's pretty much my time up. If you'd like to read the story, please drop me an email. If there's any other data you think I should look at, please also email me or give me a call this afternoon and we can talk. Thank you very much. Thank you.

Next up is Make Politics Fun Again, Austerity Map and 4x3 Ratio. Many of you potentially have had the situation. You talk about politics and then there comes this reaction.

Come on, let's talk about something else. It's boring. Yeah, I know there's Trump, but how does it affect me? And an easy slogan would be to say, make politics fun again. So why should politics be boring

if it affects our everyday life? Now, I think the problem here is that if you don't wanna be a populist and claim easy solutions for complex problems, you easily get into this territory that you have a lot of statistics.

You can talk about income inequality, social inequality and all that stuff, which is very important because it affects millions of people, but you can't really relate to a statistic. So that was a nice talk on the first day here about data visualization and 1,000 refugees dying in the Mediterranean

pretty much does nothing, but one person with a picture dying generates lots of donations. So how can we turn the topic of income inequality or more specifically austerity, which may be more commonly known as the devotion to the black zero with Schreibler as the grand cleric,

how can we turn this into something where people can easily understand the topic and relate to it? And I think there we come to a potential solution, a map.

So one could use open street map data, for example, as a backdrop, starting with universities and then gather data about specific consequences of austerity like overcrowded classrooms because you don't have enough money for professors and so on, or crumbling infrastructure.

I think there are lots of examples out there. Or if you wanna expand the scope, you could look at public baths that are closed or libraries, museums, theaters and the list goes on. So there's a lot of data which could be gathered and presented on a map. And then if you look at it and have a red dot,

for example, for every specific issue that follows out of austerity, it all of a sudden becomes visible. You can look on it on a German scale, for example, or Europe, depending on how many people would participate and how many people would do this project. And then you can see, yeah, there are lots and lots of specific things happening.

So it's not anymore some abstract academic problem, it's some specific problem that you can relate to. And I think that could potentially also change the political discussion, especially depending on how good this could be realized for the 2017 elections.

If you have the ability for progressive parties, for progressive politics to really make arguments on a relatable emotional level that is not populistic. So if you have more questions, which I can't go into here because of the time and the length of this thing,

feel free to contact me on Twitter at two martins or write an email to austerity at two martins. And because there's a little bit of time left, I just wanna say after all the events in this year, you may all live long and prosper. And if you're eligible to vote, go vote in the next year.

Thank you. Next up is Panopticon in four by three. It's a four by three day today, I think.

Hello everybody, my name is Kaj. And I'm today here to tell you about a little open source project I do, which is called Panopticon, which is a Libre cross-platform graphical disassembler. And it's meant to be a replacement for commercial applications like either Pro, Hopper, BINDIF, and Deluxe.

So this is what it looks like. You can open binary, it will start disassembling and give you a list of functions. You can click on one of the functions and it will display the control flow graph. You can pan around in the control flow graph, zoom it at comments, and explore the application. Currently it supports inter-architecture,

both the 32 and the 64-bit variant. It also includes most of the SIMD instruction architecture, so you can disassemble the crazy memcpy, highly optimized versions that are in the glibc. It also supports the two 8-bit architectures,

the AVR and the MOS 6502, so you can analyze your C64 applications. Currently it only supports ALT files and a PE loader is currently being developed. What Panopticon wants to do better than most of the tools we have now is to make a bit more aesthetic analysis

accessible for people who don't have PhDs in computer science. So most of the tools we use now do not know much about the semantics of the opcodes. So they know what they look like but they don't know what they do. What Panopticon does is when it disassembles a mnemonic, it also emits a short snippet

of code in an easy-to-analyze language called RAIL, this R-R-E-I-L. This language can be used to analyze the operations that are done in the application. So you can do something like track data flow throughout the application. Panopticon, for example, can figure out

when a function kills a register or reads it. Also, when you have a rather complete implementation of this, you can also do more advanced static analysis like bond model checking or execute parts of the program using intervals, for example. So you can fix a certain register

to an interval, say from zero to one million, and Panopticon will give you all the other intervals that are possible when the application executes. Everything is written in Rust. It's around 25,000 lines of code. The front end is done with Qt and written in a language called QML, which is essentially JavaScript.

This allows us to make Panopticon look more or less the same on all operating systems it supports. So this is the website. In case you want to help me, just check it out. You can go there. There's also a link to the GitHub repository.

We have an open development model. You can use the issue tracker. You can send me a patch, and I will try to merge everything. Thank you. Thank you. Next up is Libra Solar in 16 to nine ratio.

Yeah, hello everybody. I want to introduce a project called Libra Solar, which aims at developing open source renewable energy hardware which can be combined into a system and then used for different applications.

Oh, I'm sorry, that's the old version of the talk, and I sent you a new one. It says here, modified yesterday. Okay. Yeah, I mean, we still have time. We have lots of time, actually. We have six minutes. I have six minutes to check my mail now.

I can go slowly with this. Let me just start up all this tunneling stuff and so on. Yeah, yeah, let's all whistle the Jeopardy melody. That's nice. So, I hope we're not getting sued for that solar.

Libra Solar. Martin Gaeger. Oh, okay, you sent an URL. Yeah, it's the same URL.

Okay, yeah, yeah. I'm very sorry for this. No problem. Actually, this never happened to me before before that something gets messed up during the lightning talks. Let's see.

So, I have some other slides here. Maybe these are the correct ones. I'm sorry for interrupting this. Correct ones, and a bit less slides, so I hope to be in time in the end. We can reset the timer. Would you like to start again? No, it's okay, it's okay, it's fine.

So, yeah, the applications for the components are listed here, so either off-grid energy supplies, so if you're living in a caravan, you could use the system or in a boat, then it could be used in festivals and other events, or also for rural electrification, although until now the components are a bit too expensive probably.

Yeah, and also for disaster areas like floods and so on to get a stable, easy-to-use energy supply. Then, of course, grid connection could also be used, so you could extend your normal AC grid for self-consumption and use the battery in the system, and then feed the excess energy into the grid.

Most important features are it should be easy to use, so also plug and play for my mom, and without any advanced configuration. Then with the use of a communication interface, you can put advanced features into the system.

It should be safe, so a voltage below 60 volts is planned, and it should be reliable. So how could the system look like? This is the most obvious approach, so you take a battery and then put some different components to the battery bus, so it could be a 12-volt lead-acid battery

or also a lithium-ion battery, but the disadvantage of this system approach is that the voltage of the battery defines the entire bus voltage, so each component would have to know what the voltage set points of the battery are. So if you introduce a second DC-DC converter

between the battery and the DC bus, then you are able to set the voltage independent of the batteries, and then you are also able to introduce more batteries and enhance the reliability. With this approach, you can use the bus voltage to have a very basic mean of communication,

like in the normal AC grid, you have the frequency and the voltage, and here you could use only the voltage to communicate if there is more renewable energy in the system or if you should be careful with using energy because it's low in energy. So a high voltage would mean you have a lot of excess energy,

and low voltage means you are almost switching on the diesel generator in case of an off-grid system. So with this approach, you can also prioritize a load, which is seen on the right, so if you have a set point where the loads are switched off,

that would be this location, then a load with high priority would be switched off later than a load with lower priority. Yeah, and also for a diesel generator, you would switch it on as soon as you reach a very low voltage, and if you have really much excess energy, you could even use it for heating.

So for this system, of course, we need some components, and the start is now a 20 amp DC-DC converter, which is normally used as a MPPT, solar charge controller. MPPT means you can track the maximum power point of the solar panel.

The previous version was 12 amps, but now with the 20 amps version, you can use one large, cheap rooftop panel and attach it to a 12 volt battery. Yeah, the new revision is shown below, and it will look like this. So yeah, with nice housing as well.

It's based on ARM CPUs, which are maybe a bit overkill, but this enables you to have sophisticated communication measures. Now we are planning to use the CAN communication protocol with the CAN OpenStack on it, and this needs a bit of processor power, so the initially planned AVR microcontrollers

were not sufficient. Yeah, you can extend the boards with a flexible connector and put your own displays, have other ADC channels and other digital end outputs. Then there's also a battery management system for up to 15 cells in series,

which handles all the balancing and protection stuff of the lithium ion battery, also based on an ARM microcontroller. The board looks like this. Yeah, and now I'm almost done with the talk, so if you are willing to collaborate, yeah, visit our GitHub repository or directly contact me.

As open hardware development is a bit more difficult than software development, because you need some hardware to test it, then we could potentially order some more PCBs together and work on the system. Okay, thanks. Thank you.

And again, my apologies for not having the slides ready. This is really, I'm really sorry. So let me just get it up again. The next talk and the last one before the break is a JavaScript story or JavaScript,

or whatever you want to pronounce it. Hey, so I like to sometimes do this. Open the browser, you know, you're just sitting there at your computer,

have nothing better to do. You think, okay, let's open the browser, let's browse the web. And so you go to this really cool web page, like you'd be typing, typing, typing, and then you type the other supercenter and you get a blank page. So what the hell?

I mean, why can't we at least have this? Seriously, how hard was that? How hard was it to do it? Well, it was exactly this easy. So web devs here in the room and friends of web devs,

please learn this. Please, please, please. Thank you. Thank you. Let's start with the last part of the last session

of the lightning talks on the last day of Congress. The first talk is going to be WhatsApp vulnerability in 16 to nine ratio. Hello everybody. My name is Tobias Borta and I want to quickly share a flaw that I found in the WhatsApp. And you might also want to call it backdoor

because it efficiently allows WhatsApp to intercept targeted messages and they haven't fixed it since April. So yeah, the WhatsApp is used by 1 billion users all around the world. So six out of seven people do not use WhatsApp. They were one of the messengers

that early on had an effort to implement end-to-end encryption, fortunately. And they completed this effort in April, 2016. They implement the signal protocol, which is pretty much state of the art when it comes to cryptography. And it's known from the signal messenger, which was previously known as tech secure.

So let's quickly look at the flaw. So Alice and Bob want to communicate. Therefore, Bob uploads his blue public key to the WhatsApp server. Alice downloads this key. And if they do not want to only do opportunistic encryption but really do end-to-end encryption,

they would meet in person and verify their fingerprints of the public key. So now when Alice sends a message to Bob, she would encrypt it with this blue public key, here highlighted as a blue text. But now when the WhatsApp server immediately after that announces a new public key for Bob to Alice's client,

let's say the green public key, which actually belongs to WhatsApp, for example, then the Alice's client would automatically re-encrypt the message with the new public key and re-transmit it to the WhatsApp server, effectively allowing WhatsApp to read the message. Only after that has happened, a warning is displayed on Alice's client.

And if there are any Android experts, in the audience, then you could maybe also check what happens if after step six, the WhatsApp server would announce the blue key again to the client. If the message then would even be displayed, I don't know, you can maybe check that out.

Anyways, the server can always just forward the old message to Bob's phone and then Bob wouldn't even notice that anything has happened. Here are a few screenshots that demonstrate this flaw. Of course, you cannot see the timeline on the slide, so that's a little bit weird, but yeah, it works.

I verified it two days ago again. Signal, on the other hand, is doing it right. They displayed a warning and they never re-transmit the message again, and there's absolutely no reason to automatically re-transmit the message, not even from a usability perspective.

So I disclosed this flaw to Facebook, which now owns WhatsApp in April. They said this is expected behavior. I said this shouldn't be expected behavior, and then they acknowledge the flaw, but they are not working on changing it.

Yeah, and two days ago it was still not fixed. There are a few more reasons to use Signal instead of WhatsApp. Signal is open source and with their efforts to introduce reproducible builds, you can convince yourself more of the fact that there is no backdoor in the Signal implementation.

And also WhatsApp may store more metadata than what Signal does, according to their privacy policy. Yeah, that was my talk. Thank you very much. Thank you. Next up is LibrePCB, also 16 to nine.

Welcome. We want to introduce LibrePCB. It's in development PCB software. It's a free software. It's not mainly developed by us too, but we're helping a bit. So hi Urban in the stream. About the software, it's a free open source electronic design automation tool.

So you can create a PCB, you can create schematics. It's multi-platform. It's written in C++ with Qt. And it started in 2013, so it's already a few years old, the project. You can find the website there and we're also on GitHub.

So now the question, why do we need a new PCB tool? Most EDA tools are only available on Windows. They are mostly costly if you use it for commercial use. And if you gather a hobby license, you have limitations. The schematic can only have one sheet or the pads or wires are restricted.

Also most free EDA tools are old fashioned and not very intuitive. Most commercial EDA tools use proper binary formats which are not really good for version control. And some of them even force you to use cloud storage. Also the library systems which used to handle the parts

are unflexible and hard to use. So LibrePCB focused on the following features. It should be available for everyone. So it's free and open source software and multi-platform. It has a modern user interface

and you have automatic forward and backward annotations between the schematics and your PCB board. Also the file format it uses is human readable so it's well suited for version control. The main focus for LibrePCB is on the library system. It should be easy to reuse parts of your library.

You reuse parts that others have created and so on. Also it uses UUID so you can't have name clashes and it uses tagging or categorization for all its library elements. And it is prepared to integrate Spice models and 3D models.

So here you can see a screenshot of the application. The idea is that it's an all-in-one application so it's not a collection of different tools that need to talk to each other but it's like one integrated application that should make it easy to go back and forth between schematics and footprints, layouts, parts editing, et cetera.

The schematic editor is this one. So as you can see on the right you have automatically ERC checking live. So if you add a new part it's being checked while it's being added. Thank you. And you can also see the components

which are categorized into different categories and yeah, if I remember correctly, parts can be in multiple categories which makes it convenient to find them. Here you can see the board editor. It's not really finished yet but the basics work already. Yeah, it's what you know from most PCB tools.

And now for library management again. The library manager is quite cool already. It allows you to download libraries from GitHub. It just downloads a zip file currently. So the plan is that you could just download

from user-contributed content and also if you make a fix you could directly create like a pull request from the application if you fix a part. So yeah, the project is still undone so contributors are wanted.

So just fork the repo and commit. Thanks. Thank you. So the next talk is Rust in five minutes.

Okay. Please go ahead. So yeah, after LibrePCB I want to give you an introduction to Rust. First, what is Rust? Rust is a systems programming language

that runs blazingly fast and prevents nearly all segfault and guarantees thread safety. This is how Rust describes itself. So it has data devices with the following features. Zero-cost abstractions, move semantics, guaranteed memory safety, threads without data races, thread-based generics, pattern matching, type inference.

There's just a minimal runtime without garbage collection and efficiency bindings. So this is just a description that you can read on rustlang.org. So if you talk about safety, we talk mostly about memory safety and type safety.

And classically you have C and C++ which give you a lot of control but not very much safety. And on the other side you have Python, Ruby, Java, C sharp which give you more safety but less control. So the question is why can't we have both? And Rust gives you more control and more safety,

or it tries to do. So it's come to say fast, safe, concurrent, pick three. That's the motto of Rust. Also, if you say it's a system programming language we mean that you have fine-grained control over memory resources. It's close to the metal, and it's actually possible to write an operating system with it.

To the right is C Redox. It's an operating system completely written in Rust. It's quite cool. Yeah, check it out. If you say it's blazingly fast you mean it's a compiled language. It uses LLVM for optimizations. So you get optimizations from the whole Clang tool suite.

And it features zero-cost abstractions. That's a concept from C++. That means if you use high-level abstraction it should compile down to the code that you can't make any faster if you would do it by yourself. Yeah, and it also focuses on safety. To the right you see the average C++ programmer like me. I mean, with C it's easy to shoot you in the foot.

With C++ it's less painful because it aims directly to your head. And yeah, Rust guarantees you that you have no null pointers, no dangling pointers, and no data races. It uses a unique concept, a new concept of ownership and borrowing. That means every resource has just one owner.

The owner is responsible for acquiring the resource and releasing it. So variables are always moved to new locations but they can be borrowed if you just need it temporarily. But you can either have unique access with mutation or many immutable borrows.

And this is all enforced at compile time which is quite unique and awesome. So Rust comes with Corgo, an awesome package manager. It just fetches your dependencies. It's like NPM or PIP or something. Just learned a lot from the past. So the crates are immutable. So you have no ...

left pad like disasters. The community in Rust is also very friendly and welcoming, so you can just go to IRC, ask questions and everybody is happy to help. And also the language is actually developed in the open, so you have this request for comments on GitHub where you discuss language features and it's also very easy to get engaged.

Rust is used in the wild by Mozilla, Mozilla is backing up the language and using it for servo, their next-generation parallel browser. Also Dropbox is using it, there's an interesting blog post how they use it. MadeSafe uses it and the parity is an Ethereum client written in Rust.

So it's already used. We have time, yeah, we have some more time. This is how Rust looks. So functions are annotated with FM. Rust is immutable by default. Also, if you want to change something, you have to mark it as mutable.

For loops, you have quite high-level abstractions. You can just iterate over all the chars in the string we have here, then use match to match for them, and then, yeah, so much for Rust.

Thank you. Thank you. Next up is Tindering Islam.

There you are. All right. I think this is 4 by 3. I think, I don't know. This looks weird. No. No problem. Okay. Please stay as close to the mic as possible. Okay. Hi, everybody. Thanks for being here. I'm Yasser. In 2017, we're going to celebrate the fifth anniversary of Martin Luther, the formation

of the Christian religion, and today, we're going to form Islam. So we know each religion has a god, and the new information for you might be that

each god has a router. This router transfers the divine knowledge from the hard drive by God and distributes it through the ether in the universe, but not everybody can receive that. Actually, you need special people called prophets who would actually receive this information

somehow and then distribute it to everybody. So as we, these prophets were actually the mobile phones, just like the router when you put it in your home, it distributes the signal everywhere, and then you should look for the right frequency or right place to receive this signal.

And some people, other than prophets, are trying to do this by doing circles until they reach the right frequency, so where they get connected to this divine channel and then get the information. And this is a widely used religious ritual.

So let's talk about the secret recept of Islam. It consists of the holy grail, the Quran, and then hadith, what the prophet said in his life, and the four famous interpretations, which everybody can cherry pick or deny or just, you know, put in the drawer.

So we're going to ignore the last two and just go for the holy grail. It says, if you fear that you will not deal justly with the orphan girls, then marry those that please you, a woman, two, three, or four. So many people would say, oh, yeah, you know, I don't like it.

It's not like what I believe, but I can put it on the side. It's interpreted in another way, and everybody has a different argument for this. So that's why I'm introducing today, Tindering Islam. I think you're all familiar with both concepts, Tinder and Islam.

So we're going to create an app that would show you, instead of people and shallow pictures, would show you what you want to cherry pick and put in your pocket and leave the rest. So it's a pretty simple procedure. The app looks like this.

You will have the verse. Okay, so for the time now, you either say yes or no. And the database consists of Excel or XML or other database formats where the

server actually can manipulate the data and collect it and analyze it. So this is how it works. You have an XML sheet of the Quran that has 6,000 lines and a server application that creates user accounts and then saves your progress over time when you are

playing and then should always ask you the question, do you want to keep this verse or delete it. And then at the end, you will have a layout. So I hope you can read it. You have a template layout, just like an Arabic book with some ornaments and so on. And then you can export it as PDF and write your name on it and publish it to

everybody. So thank you no time. So basically this is a small idea. It's been going around for one and a half years now. And it's a message for everybody, not only believers but also non-believers to create their own version of the religion and stop saying

this doesn't belong to Islam and this belongs so just put it out to the world what you really want. And then we can actually, for the IT people, we can collect data and make statistics and see which are the verses who are liked, mostly liked these days and which are not. And then we can know for an idea what's going on in the Islamic world.

And the last thing is that I would like to break the holy book fake preservation aura. So everybody says this book is holy and should not change. No, it should change. And everybody could actually issue their own version of this. So thank you. Next up I would like to call the IT people to contact me please.

Maybe you say like in one hour we're done with the app and we can publish it today or just we can publish it later next week I think. Thank you so much. Thank you.

Next up is Orwell's Law. Orwell's Law comes in four by three.

Okay, so hi everyone again. I am Zlow and I came here to talk to you about the law which we call Orwell's Law. But first, who are we? We are DBAS and it's not Database as a Service. It actually stands in check for digital security and privacy.

And the main idea is that we want both and we all think that this is achievable to have security and privacy at the same time. We are a newly formed initiative and the reason we formed is because the current situation in Czech Republic is changing and it's changing in a direction that we don't want.

A few months ago a censorship law has passed which gives our finance ministry the ability to censor the internet. Basically they say which websites or URLs shouldn't exist and Czech ISPs are forced to somehow magically make them disappear even though it's technically not really possible but that doesn't mean that it's

not in the law. Currently the law enforcement agencies need court orders to spy on people and that is something that is about to change. And also the secret services are somewhat restrained but not really. It's like a grey area. So what is changing now is everybody wants to defend the cyber.

Even NATO said that cyber is the fifth warfare domain. So they brought this new amendment to the secret service law that basically says every ISP has to implement the black box and it's not

really concrete like they just can't put anything inside. It could be an interception box, it could be a NetFlow stuff or it could be anything else. It's not really concrete at any point.

The thing is that they're not even ashamed that GCHQ helped them to draft this amendment which is really worrying for us. We also know that it's not really a possibility to just scrape this law and not have it. We understand that the state needs to somehow defend the cyber but

at the same time we want to do it in a way that keeps the privacy of the most people possible. So they also introduced GEG orders in the new amendment which are huge. It's not huge in like the European huge but in Czech huge.

So it's a few million euros for every leak of the GEG order and it also applies to all of the employees of the companies. So there's also a lot of shady stuff behind this.

The people who proposed this are more questionable to say the least. They did some weird stuff. Also they want to give this power to the army secret service which was abused two years ago by a lady which is now married to our old prime minister so it's really weird.

She shouldn't be even able to contact the secret service but somehow she forced them to spy on his ex-wife so it's really convoluted and weird. Also the minister who introduced the bill is openly lying in the TV and radios about the new amendment or he doesn't know what the law

actually does and I'm not sure which one is worse. One of the worst things is that there is no oversight. Once the bill is passed there's nothing else that people or the companies

can do because they have no way to challenge the black boxes. They're currently saying that they only want to monitor people like the cameras at the highways which take pictures of everybody and only those who break the rules are then brought to justice.

But in reality what the law says is much broader. So why am I telling you this? I would like for you to go to one of those web pages and sign the petition for us. If you are from the Czech Republic please inform other people about this

or maybe in neighboring countries as well. And if you are a reporter please write an article about this. So that's all I wanted to say. Thanks. Thank you.

Next up is Ervel but you're probably going to pronounce it the correct way. It's a 4 by 3 ratio. I will briefly present you a new generation of helpful cameras.

So it's open hardware and free software reconfigurable cameras. So the new generation, the new camera series are powered by Xilinx Zinc SoC

which is a high performance FPG with dual arm CPU and a huge set of peripherals. The camera is running new Linux operating system but the image compression is done in FPGA and is implemented under the new GPL license.

The camera provides up to 1 gigapixel per second video compressor and anyone is free to modify any camera components, parameters, software, port software to implement FPGA real time video processing, etc.

Or even develop new sensors. This is the new camera PCB design. The previous design is in production for already 7 years.

Also thanks to the FPGA flexibility it was upgraded and extended several times during 7 years. We've had for example free generation of, free revision of different sensors with this camera. The new one is using this Xilinx FPGA with dual arm CPU,

1 gigabyte of system memory and 0.5 gigabyte of additional video compression memory. The system board can handle up to 4 individual sensors or with multiplexer board even be extended to up to 16 sensor per camera.

So the main class of application for these cameras is multi-sensor cameras. You can play with all different camera models on our wiki. We have these X3 DOM models that are automatically generated from step files we use for production.

So you can virtually disassemble and reassemble all camera components on the wiki and if you click on particular component you can see the wiki page for this component.

And of course there are PCB layouts and everything on the wiki. So for licensing we provide all our source code under GPL v3 license including FPGA code. The documentation is under GNU documentation, free documentation license.

And the hardware and mechanical components and designs are released under a CERN open hardware license. So it's a hackable camera. It can handle up to 4 sensor with just 1 motherboard or up to 16 with multiplexers.

And you can hack the different components like the firmware, port new software on Linux, do some FPGA design, real-time image processing in FPGA, new electronic components,

new sensor board or extension boards. And of course change the physical layout of the camera case. Like 3D printing your camera. We provide a combination of aluminum fixed structure for holding lens and sensor boards.

And you can 3D print your own camera arrangement like stereo camera or panoramic camera or whatever. Why multi-sensor? The simple answer would be because we can.

And you can, using multiple small sensor, you can have many interesting applications like panoramic imagery or even cinematographic, sorry I skipped the calibration, you can see about the calibration on our blog.

And you can have applications like this, for example, it's a cinematographic camera with dynamic depth of field in post-production. And you can apply for a sponsored camera. Please fill our wiki and contact me. Thank you.

Thanks. Just in time. Next up is jailbreaking governmental data. PDF becomes RDF in 16 to 9 ratio. Hello all. I hope you had a nice Congress so far and washed your hands often enough.

Also, thank you to the team that managed to get the wiki up and running during the Congress this year. Thanks a lot. How many of you have heard the term RDF before? Nice. And how many have heard the term linked data before?

Almost the same, a little bit fewer maybe. Okay. So, what am I about? Public services and public administrations have started to publish lots of their data, more and more. But they like PDFs very much, maybe because they resemble the printed paper better than anything else.

And so there is lots of data buried in PDFs which is hard to pull out. The administrations are not hesitant to publish. They cooperate with OpenStreetMap.

For example, the Bavarian Open Data Initiative is five years or six years old already. And they collaborate with OpenStreetMap and they use licenses very similar or equal to Creative Commons licenses. So, things are very much improving there. But they still publish many of their stuff in PDFs.

So, I took the example of the Bavarian list of historic monuments which is probably not the most interesting, but it is a simple case. And I wanted to see if it's feasible and turn them to RDFs which is very well linkable and typical for use in open data scenarios, data format.

So, this is what the initial PDFs look like. This is a DIN A4 page, the top of it. And they can be up to several dozens or even hundreds of pages per municipality.

For example, Munich has, I don't know, 150 pages of it. There are other areas in Bavaria which are much smaller. And it's a very simple list. So, I start and, well, let's skip that one.

And just grab all the PDFs I can get from all municipalities on a daily basis. Then I run a converter over it from the popular free desktop project that turns it into a simple XML which is very close to the PDF still.

Then I consolidate this XML and pull out the actual content and throw away the page numbers and stuff. And turn it to TTL which is a W3C data format. And this in turn, this last step is done with a custom software I did right in Go.

Because Go launches quickly and has a nice standard library including XML deserialization which came in quite handy. And finally I turn it to RDF with a custom, the so-called Swiss knife for RDF or for the semantic web data formats with the wrapper.

So, this is what the first step of conversion looks like. This is, well, typical XML garbage. Then the next step is a text format. That's the turtle or TTL format which is then semantically meaningful but not easily consumed in the browser, for example.

Then the next step is XML RDF which gets a style sheet clause in the beginning and is very easily viewable on the browser.

With this very simple style sheet it has an HTML view which looks like this. And that's very similar to the initial PDF. But it is now in a textual format which is very lightweight on the first. And can be diffed and can be directly linked into.

Because now we can use anchors and every item in it has its own linkable ID. Where it before had its theoretical ID or its administrative file number. So, that's the result.

And it's deployed on a web server with nearly nothing in terms of database or stuff. So, thanks a lot. That was it. Thank you. Next up is Meetling in 4x3.

Okay. Hi, everyone. I'm Sven. And today I want to talk with you shortly about meetings.

So, if you ask the internet, the internet knows meetings are just broken. Okay, not all of them but, you know, many of them. I think many of us have been there. And they are broken in many, many, many different ways. So, I can't fix meetings here in five minutes. I just want to focus on a few problems related to the preparation of meetings.

So, if you imagine like a classical meeting, a round table, a bunch of people around it. And they discuss some topics from an agenda. Many people have this feeling depicted by our beloved sci-fi hero here.

Why, oh my god, why do I have to go to this meeting? So, let's look at some problems why that could be the case. First of all, in, so, okay, thank you for it. First of all, there could be an issue of transparency.

Like maybe you don't even have an agenda. So, I don't even know what will be discussed at this meeting. Or there is an agenda but someone forget to send it around. Or just some people got the agenda by, yeah, mouth to mouth propaganda. So, this can be very demotivating. The larger point is relevancy.

So, I go to this meeting and I have the feeling, okay, why does it concern me? What does it have to do with my work? Really, I just have to be there but I don't know why. So, I think these are the two biggest motivational problems. A smaller one is the workload. So, most often you have one moderator that also prepares the meeting.

He has to do all the work. That might be okay but it can be quite hard to know what is relevant in a meeting for everyone that attends. And if you have like a not-company setting, like an activist politics group or something, where people do this in their free time, it's like it can be a high workload just to prepare.

So, a good moderator, a good preparation can solve those problems. But maybe we have a more creative solution and what I propose is make the preparation of meetings more horizontal. So, let the participants take part in the preparation.

If you let them take part, let's say there is someplace where they can gather points that they want to discuss. So, every participant can just propose agenda items and so on. So, they see the agenda while taking part in the preparation so it's more transparent. I will logically just propose agenda items that are relevant to me.

I can still propose some that are not relevant to others. So, this doesn't solve the relevancy issue but at least it makes it somewhat better. And you can distribute the workload somewhat. This is not a statement against a moderator that prepares a meeting. Well, I think a hybrid approach is cool. So, like everyone can take part in the preparation and then there's this one guy or girl

that just takes the agenda and clears it up a bit. So, if you think this could be a cool solution, then we need a way to do it and I propose this. It's called MeetLink. It's just a very simple web app with the goal to collaboratively prepare meetings.

What can you do? No magic involved here. It's just like you can collaboratively draft an agenda. Everyone can propose agenda items, edit the meeting details and so on. This should be all or there is. Very simple to use and there's no registration step or something like that.

You just have a page, you have a link, you share the link with your coworkers or whoever attends the meeting and then you're set. So, I think most of you know Doodle. If Doodle is for metadata of meetings, like when do we meet, then MeetLink would be for the contents of the meeting. What will we discuss? Yeah, for the tech people, what is the stack?

It's like Python with Tornado, I think I owe a web server. We have a Redis database, some JavaScript, modern HTML and so on and so on. Let's have a look. Like I said, no magic there. It's just this is what a meeting would look like. You have some broad description of the meeting and where it is and so on.

And then you have the agenda and everyone can propose stuff, delete items, whatever. Yeah. So, if you like the idea, you can just use it. It's free and it's online and it works and it's used in production already. So, go to meetlink.org. It's, of course, open source. So, just follow this GitHub link.

And I'm looking forward to your issues and feedback and pull requests. If you have any questions, there's my contact info. Thank you. Thank you. Next up, the Yara rules project.

Yara rules in 16 to 9. Okay. So, hello. I'm here to talk about a little project. Some friends started.

It's called Yara rules. And first of all, for those of you that don't know about Yara, the app it's based on, I'm going to talk a little bit about it. Yara is a tool that its principle or its initial aim was to help malware analysts,

to malware researchers to identify and classify malware samples. But over time, there have been many other use cases, as we will see afterwards. And well, with Yara, what you can do is you create descriptions

of whatever thing you want to look for based on text or binary strings, binary patterns. And then in each rule, you put this set of strings or patterns and an expression that tells the application the logic of the rule.

Just a little example. Here you have a rule that on top it has the name and some tags. The first part is the metadata, then the second part are the actual strings

that will be matched against the value input to the application. And then last is the condition. In this case, at least one of these three strings has to appear in the file.

So you have seen that it's more or less easy to write rules, but there was no centralized point for these rules to be kept on.

So we made it on GitHub, so it's open source, it's public, you can go there. A repository, a community-contributed repository of Yara rules. And in that repository, we maintain it and try to enrich a little bit the rules.

First of all, categorizing them. The principal category is malware, but you also have mobile malware. This part of mobile malware is very interesting and is possible

thanks to some friends of ours that made a module for matching Android apps with Yara.

So you can have crypto, anti-debut techniques, general utilities, rules matching emails or email addresses and so on. And also a part of categorizing it, we add tags to the rules, we remove duplicates and we'll start soon to optimize some of the rules.

And that's how we created Yara rules, because we think Yara is a very useful application and wanted to spread the Yara world to the world. After creating the repository, we wanted to spread the world of Yara further

and created just a web page where you can upload any file you want and we will run it through all or parts of the rule set we have on GitHub.

You can see the main page here and you can choose any rule set you want. When you upload a file, it goes on the page of analysis that looks like that.

When you click on a link, you can see all the characteristics of the result and for each category to see if it matched or didn't match any rule

and if it matches, you can see the matches and the meta of the rule that has matched. Here you have some resources and that's it. Thank you very much. Thank you. Thank you.

Never again tech pledge 4x3. Hi, my name is Ping and I'm a Canadian living in the United States. I want to tell you about a project that I helped organize. This is very recent news.

This all just happened in the last couple of weeks. So you might have heard that Donald Trump invited the leaders of some major technology companies to meet with him at Trump Tower. These included executives from Google, Facebook, Microsoft, Amazon, Oracle and so on. And this was a cause for concern among many of us because Trump has made many negative statements about immigrants and Muslims before.

When asked whether to build a Muslim registry, he replied, certainly we would implement that, absolutely. He said he would deport millions of immigrants immediately. He has said, I want watch lists, I want surveillance, I want a database of Syrian refugees. And these major tech companies have the data and systems that could be used to track these people.

So it's reasonable to be concerned that Trump might ask them to help or pressure or even bribe them. And the leaders of these tech companies were not making any statements or taking public positions about it. So my friend and colleague, Lee Honeywell, thought that maybe as individuals we could take our own stand.

And so she drafted this pledge which other people helped her edit. A bunch of us worked with her on it. I helped her edit this. And you can see here the final version of the pledge which we published. And it acknowledges the role of technology in mass injustice such as the way that IBM collaborated to make the Holocaust possible

and contains a list of commitments. So people who sign this pledge are promising not to help build these databases, are promising if they discover unethical use of data for this kind of targeting in their companies and organizations to work to stop it, to blow the whistle, and if forced to participate to resign their jobs rather than cooperate.

So this is quite a strongly worded statement and we plan to go public with it on December 13th, the day before Trump was going to have this meeting, so the media would be reporting on it while the meeting was taking place. We collected about 50 signatures to publish with the pledge initially on launch.

We prepared the media for the launch and we indeed published it on December 13th and started collecting signatures publicly. Within a couple of days we had over 1,000 signatures. So you can see people here from all of those major tech companies I mentioned all across the US tech industry sign this pledge. Not just engineers but also managers, directors, even founders and CEOs.

And from some companies we got mass signatures so people would organize inside their companies as a group to have a signing party and then send us 30 or 50 signatures at once. So we were reported upon in the news quite widely. We got in the tech press in CNN, also reported by Al Jazeera and Forbes and the New York Times.

And we even got exactly the headline we wanted, which is on the day of the meeting and the headline was, While Tech Leaders Talk with Trump, Their Employees Pledge a Fight. So we worked very hard to verify all these signatures. We had thousands of them coming in and we had volunteers confirming that each one

was actually a person signing on their own behalf. So after a week of working day and night we decided to stop publishing new signatures after we collected 2,800 signatures to this pledge. And then the next day the New York Times published this article on the closing of NSEERS, the Muslim tracking registry for immigrants in the States, and it contains a statement,

Facebook, Microsoft, Google and Apple are among several technology companies that publicly stated they would not assist the new administration in developing any program that would collect information that could be used by the government to track immigrants from Muslim countries. The technology companies took action after thousands of Silicon Valley engineers signed a pledge saying they stood in solidarity with Muslim Americans and immigrants. So I'd just like to take a moment to credit

There's another slide missing here. I'd like to take a moment to credit the people involved with this. So there's an about page on the site, neveragain.tech, which is where this pledge is, which you can read to find out more about who was involved and how it took place. I'd like you to take away three things from this. So first, this is not a petition. We are not appealing to authority to do something for us.

It's a pledge. Each person is making their own promise and making a promise helps other people also refuse. The second is we did a lot with a little. It only took a couple of weeks of work to do this, but because of the timing we were able to have a large impact because the media was reporting on this issue. And the third is never forget that as an individual you have extraordinary power.

It is not only acts by Trump that will need to be resisted. This is not the only one. It is not only acts in the United States government that will need to be resisted. We need resistance all around the world and you can organize that resistance. Thank you. Thank you.

Next up is Cybergreen in 4 by 3 ratio.

All right. This is the next slide? Yeah. Okay. So I'm Aaron Leverett or BSP. I'm Aaron Kaplan, spelled differently. And you can hear from my voice that I've been talking way too much at this conference. We'll try. All right. So this is the project called Cybergreen. First of all, I want to apologize for the name.

The name was already there before I joined the project. I know cyber doesn't sound very cool here. Nevertheless, bear with us. The project is quite interesting. It's about metrics. So I'm going to hand over to the other Aaron now to talk about it. Well, you would say it was interesting because of course you work on it, but so do I. And the gist of this is that we think there's not enough empirical science in a lot of

security. There's not enough measurement. And we're also particularly interested in not risk to a particular target, but from other places. So we're looking at a variety of different DDoS risks and we'll talk a bit more about that in a moment. So in general, IT security flaws, not enough empirical data, not enough transparency.

People will publish a methodology, for example, in a scientific paper, but they won't publish the code or the data that they use to do that research. And it makes it much more difficult to verify their research and see that the methods that they are applying to fix these problems work. And not enough agreed upon metrics. So what we're trying to be is rough metrics in a land of no metrics at all.

So we know that some of these metrics won't be quite as accurate as we'd like, but we do have some raw accounts about DDoS reflectors. And essentially what you can't measure, you can't improve. So science ideally should answer a question, and the question we want to ask with this particular project is how big of a risk do we pose to others?

So as a particular ASN or as a particular country, how many reflectors, DDoS reflectors, are we hosting? That's a network externality on the internet. You could view it as a health problem, you could view it as pollution. This is essentially people who are not doing a good job configuring things and have a very serious impact on others. A lot of people think of DDoS as a good thing, sometimes, in some circumstances.

But when anyone can DDoS anywhere, anyone else, it's a form of censorship. And it's exactly the form of censorship that we would like to resist in much the way the previous talk was talking about. So we're focusing on countries, ASNs, and protocols. And the protocols we're interested in currently, and we will expand in the future,

are DNS, NTP, SSDP, and SNMP. So I'll hand back over to Aaron to talk a little bit about the rankings. All right. So, thanks. So currently we started small with these couple of protocols because they can be used for UDP amplification attacks.

And we just developed a score. The score is still evolving. The next iteration of the score will really have basically the number of, let's say, open records of DNS servers, open NTP servers, et cetera, and multiply by the amplification factor.

That will be the next metric. So the nice thing, when you do collect data, let's say, from scanning, you can develop interesting metrics with it. You can really develop a score similar to SSLlabs.com. Make that public. Also make the aggregated data public. Very important. We can rank by countries. We can look at the individual ASNs.

We can have timelines for the individual ASNs. So this ASN in Singapore is generally doing pretty nicely. Here you can see it's all decreasing. However, there's a slight increase here. The question is why. Usually when you see a linear, slight linear increase of something in this area, it's no CPEs.

It's new devices being rolled out. So you can suddenly start to talk with the ISP and say, hey, why is that the case? Maybe you got something by default from the vendor, which you shouldn't have. So they'll be very happy to actually usually talk with you. So another thing that we can do with a new metric, with an updated metric,

if we have the amplification factor in the counts, like amplification factor times number of open recursive DNS servers, et cetera, we can summarize these and create a global DDoS potential time series, for example. So right now with these four different risks that we have,

I know these are not all, and under the assumption that every IP address has an average 1 mbit connectivity, I know you can argue about that, but we can improve that in the future. You'll get like a 4 terabits per second, roughly DDoS amplification capacity. So it's quite interesting.

So you can do a lot with that data. As I said, the data is being made available on the web page, and yeah, pretty much that's it. Well, also we have an API. So get out there and use the data, and do your own studies, have your own opinions about what's going on with this DDoS potential on the internet. Thank you.

And if you... We look for people who want to join this project, so please get in contact with us. Thank you. Thanks. The last talk for today is how eCryptFS and e4Crypt make security worse in 4x3.

Yeah. Hello. My name is Tim, and I had a look at eCryptFS and a few file-based crypto file systems. So basically, there are three around. One is NkFS, which is completely fuse-based

and not so bad, and two, eCryptFS is a kernel-based file system on its own, and e4Crypt is actually an encryption layer on top of Extended 4, the standard Linux file system. So these file systems come with a few security risks.

NkFS, a good one, tells us what these are. Yeah. And then I had a look at eCryptFS manual, and this is a bit interesting because it has a tool called eCryptFS at passphrase,

and this tool puts out a signature that you later use to mount the actual file system, and now I was really confused because what the heck do they mean by signature? We have a private key for the signature,

why is it looking like a checksum, and our data is checksummed here. So what is the purpose of the signature? The purpose of this tool is to add a passphrase to the kernel keyring so that eCryptFS can use it later while others can't.

The kernel keyring stores passwords identified by labels. This is how that looks. You see the label on the right side, and so this is a label actually. You can use day of birth as a label and the actual day of birth as a password

doesn't make sense at all. Yeah, later I looked into the code and yes, they really do some checksumming here over the passphrase and use it as a label. So this means they really did it.

If you check in your Ubuntu installation that button down there encrypts your personal data. This actually means that a pretty good kind of your password is published system-wide when you have a look at the amounts

and every user has access to a hash of your password. It's not that we invented ETCShadow 20 years ago to prevent this. And it's not even a good hash, it's very short. So I calculated you need without compression about 15 terra of space for a good rainbow table.

So what about eForCrypt? Actually, eForCrypt does the same. It has a eForCrypt at key where you can enter a passphrase,

you add a key with a descriptor, added key with a descriptor, and yeah, it basically does the same. At least it provides you a documented salt option which is undocumented in the previous tool, but basically same issue.

So why did they not use a checksum over the mount point as a label and what else did the developers mess up with? These are the questions that they leave us with. I have no idea how one comes to that idea

to drop a hint to the password in the label. And on this terrible disappointment, I reported a bug to eCryptFS one year ago when I discovered that it's lying around there

and yeah, I started using full disk encryption with looks which actually works for me. Thank you. Thank you. All right. So the lightning talk sessions are over for this congress.

Please give a huge round of applause for all the speakers who came up to the stage and had the courage to talk to us. Also, again, a big applause for the translation team who did awesome work on translating all the talks.