WEBVTT 00:00.000 --> 00:24.000 I love it, I love an stop. 00:25.000 --> 00:30.000 This is for them, this is for them. 00:30.000 --> 00:32.000 Okay guys, please have your seat. 00:32.000 --> 00:45.000 Now we can start. 00:45.000 --> 00:47.000 Okay, good morning. 00:47.000 --> 00:50.000 Today I'm going to talk about the network trafficking 00:50.000 --> 00:52.000 This is a short version of a talk. 00:52.000 --> 00:53.000 I see my talk. 00:53.000 --> 00:57.000 I play that the sheriff has the conference in November. 00:57.000 --> 00:59.000 So if you want you can go to the sheriff's conference. 00:59.000 --> 01:02.000 It will be a long talk more than one hour and a half. 01:02.000 --> 01:03.000 So this is the contents. 01:03.000 --> 01:06.000 That's just to give you an idea of what is happening. 01:06.000 --> 01:07.000 Who am I? 01:07.000 --> 01:10.000 I'm a software open source software developer. 01:10.000 --> 01:12.000 Okay, and I also teach at university. 01:12.000 --> 01:16.000 I contribute to various software applications, including 01:16.000 --> 01:18.000 the washers, ricards, and so on. 01:18.000 --> 01:23.000 And today I'm going to talk about an open source library called NDPI. 01:23.000 --> 01:29.000 For those of you who have been here years ago, 01:29.000 --> 01:32.000 I made a presentation during the COVID days about this library. 01:32.000 --> 01:36.000 So today I'm going to focus on the fingerprinting part. 01:36.000 --> 01:40.000 The library is open source, you can see the read here, you can download it. 01:40.000 --> 01:45.000 It's probably the only open source, the pocket inspection library available today. 01:45.000 --> 01:49.000 I transfer more or less everywhere from embedded system to big system. 01:49.000 --> 01:54.000 We can scale up to one hundred and plus gigabit or two to a small embedded device. 01:54.000 --> 01:59.000 And not only contains DPI text techniques, 01:59.000 --> 02:03.000 but also contains algorithms for doing traffic analysis, for data clustering, 02:03.000 --> 02:07.000 for something that everybody calls AI, but it's probably not the AI which is a clustered or 02:07.000 --> 02:08.000 unsupervised AI. 02:08.000 --> 02:12.000 So what is the topic today? 02:12.000 --> 02:15.000 Today I'm going to talk about an act of fingerprints. 02:15.000 --> 02:18.000 I'm going to give you an introduction to an act of fingerprints. 02:18.000 --> 02:21.000 To explain what they are, what they are not. 02:21.000 --> 02:27.000 And I also, I'm going to differentiate between the initial flow fingerprint. 02:27.000 --> 02:32.000 So that is the topic of this talk from other type about behavior fingerprint. 02:32.000 --> 02:34.000 So let's start with the term. 02:34.000 --> 02:39.000 So the net of fingerprint is a way to, usually, passively, identify 02:39.000 --> 02:42.000 and guide the specific properties of pockets. 02:42.000 --> 02:47.000 You know that today, the first question is, okay, about the traffic today is encrypted. 02:47.000 --> 02:51.000 Okay, encryption is an opportunity, I would say, is not a problem. 02:51.000 --> 02:54.000 Of course, you cannot see the payload, but I think that does not bear. 02:54.000 --> 02:55.000 That's not real bad. 02:55.000 --> 02:58.000 If somebody uses encryption, there is a good reason for that. 02:58.000 --> 03:00.000 And I like that. 03:00.000 --> 03:04.000 But the fact that you have encrypted payload, it means that you have encryption case. 03:04.000 --> 03:08.000 You have other, let's say, properties that are useful. 03:08.000 --> 03:11.000 That you don't have with clear text traffic. 03:11.000 --> 03:17.000 The bug number one of internet days of the internet today is that everybody can inject a pocket on the wire 03:17.000 --> 03:20.000 and the pocket is accepted if it looks good. 03:20.000 --> 03:22.000 So you don't know exactly who is doing what. 03:22.000 --> 03:26.000 So the only way to know that, you have to put in a layer on top of layer. 03:26.000 --> 03:28.000 And then at the end, you will have encryption. 03:28.000 --> 03:30.000 Encryption case, blah, blah, blah. 03:30.000 --> 03:33.000 I don't, it's a long story to, I don't want to talk about that today. 03:33.000 --> 03:36.000 That allows me to say, okay, look at us inject it. 03:37.000 --> 03:44.000 So the term, the thing that sometimes uses a word that it's about means use about unique. 03:44.000 --> 03:45.000 Okay. 03:45.000 --> 03:48.000 The thing that is not unique, it's a way to classify traffic. 03:48.000 --> 03:52.000 So if somebody is injecting a pocket, similar to the pocket sent by somebody else, 03:52.000 --> 03:54.000 it's not true. 03:54.000 --> 03:56.000 So you have to trust the pocket. 03:56.000 --> 03:59.000 Unfortunately, pocket never lies, it's not true. 03:59.000 --> 04:03.000 Because unfortunately, you can inject any pocket to the wire and you have to trust them. 04:04.000 --> 04:06.000 So this is what, I think the print. 04:06.000 --> 04:09.000 And basically, you can use the print for various reasons. 04:09.000 --> 04:11.000 The first thing is for is a for labeling traffic. 04:11.000 --> 04:14.000 So you want to have a nice pie chart of the traffic flowing in your network. 04:14.000 --> 04:16.000 Say, there is a lot of TLS. 04:16.000 --> 04:19.000 So there is a lot of streaming today, probably here. 04:19.000 --> 04:20.000 Act force them. 04:20.000 --> 04:24.000 And based on that, you can create some specific methods. 04:24.000 --> 04:26.000 For instance, the round trip time is not great. 04:26.000 --> 04:29.000 Or there are some loss on RDP. 04:29.000 --> 04:31.000 You can segment networks. 04:31.000 --> 04:34.000 So if you think you print the HTTP, the initial core, 04:34.000 --> 04:35.000 it's okay. 04:35.000 --> 04:36.000 This is not the Windows machine. 04:36.000 --> 04:39.000 I don't want to see it on my network because it can be dangerous. 04:39.000 --> 04:42.000 So let's put it on a special V-line. 04:42.000 --> 04:44.000 It's not a problem. 04:44.000 --> 04:45.000 Otherwise, cybersecurity. 04:45.000 --> 04:47.000 If you see a device that is at the same time, 04:47.000 --> 04:50.000 an Android machine, a Mac or a Linux, 04:50.000 --> 04:51.000 that is something wrong. 04:51.000 --> 04:54.000 At the fingerprint as a bug, probably not. 04:54.000 --> 04:56.000 Or it's the device. 04:56.000 --> 04:59.000 It's a long other people to come to the network. 04:59.000 --> 05:02.000 There are a bunch of virtual machines. 05:02.000 --> 05:07.000 There are two ways of doing fingerprint. 05:07.000 --> 05:10.000 Today, I'm going to focus on the passive part. 05:10.000 --> 05:13.000 Passive means that you collect traffic. 05:13.000 --> 05:14.000 You look at the traffic. 05:14.000 --> 05:16.000 You create your own fingerprint. 05:16.000 --> 05:17.000 And you say, this is the fingerprint. 05:17.000 --> 05:19.000 Otherwise, there is the active fingerprint. 05:19.000 --> 05:22.000 So basically inject traffic on the network. 05:22.000 --> 05:25.000 And you try to collect information that you cannot collect with 05:26.000 --> 05:29.000 a simple example of that is free. 05:29.000 --> 05:31.000 So we tell us 1.3. 05:31.000 --> 05:34.000 Only the initial part of the negotiation, 05:34.000 --> 05:37.000 the client echo, is in clearer time. 05:37.000 --> 05:39.000 It's becoming more and more encrypted. 05:39.000 --> 05:41.000 But it's in clearer time. 05:41.000 --> 05:43.000 So you can decode it, let's say. 05:43.000 --> 05:45.000 Otherwise, the rest of the communication, 05:45.000 --> 05:47.000 which is the certificate or the server, 05:47.000 --> 05:50.000 hello, it's in clearer. 05:50.000 --> 05:52.000 If you're not the inspector, 05:52.000 --> 05:55.000 an anti-finger-printly-like police at Jarby's doing, 05:55.000 --> 05:57.000 is possible to fingerprint the server, 05:57.000 --> 05:59.000 even though the server is suddenly traffic 05:59.000 --> 06:03.000 that the passively cannot be analyzed. 06:03.000 --> 06:06.000 So advantage that passively, 06:06.000 --> 06:09.000 totally passively means nobody knows that you're doing that. 06:09.000 --> 06:11.000 Unfortunately, there are some limitations. 06:11.000 --> 06:13.000 Those are the limitations I told you. 06:13.000 --> 06:16.000 Fortunately, present in modern processing. 06:16.000 --> 06:18.000 There will be more and more limitations. 06:18.000 --> 06:20.000 So we have heard a lot about quick before. 06:20.000 --> 06:24.000 There are protocols like quick by design and highly information. 06:24.000 --> 06:25.000 And I said, this is great. 06:25.000 --> 06:28.000 I'm not saying it is bad. 06:28.000 --> 06:30.000 So there are various fingerprinted methods. 06:30.000 --> 06:32.000 First, the method is about protocol. 06:32.000 --> 06:35.000 So you want to bring the protocol itself. 06:35.000 --> 06:37.000 So the HTTP, remote desktop, 06:37.000 --> 06:39.000 protocol, this type of things. 06:39.000 --> 06:42.000 Other methods don't look at the protocol, 06:42.000 --> 06:44.000 but look at the content. 06:44.000 --> 06:46.000 So for instance, if you see traffic, 06:46.000 --> 06:48.000 there was Firefox settings, services, 06:48.000 --> 06:52.000 modzilla.com, probably somebody's using Firefox. 06:52.000 --> 06:56.000 So not only you fingerprint the environment, 06:56.000 --> 06:59.000 but you fingerprint the application. 06:59.000 --> 07:01.000 There are similar examples. 07:01.000 --> 07:03.000 You know, applications today are very chatty. 07:03.000 --> 07:05.000 They connected to various things. 07:05.000 --> 07:07.000 In particular mobile phones and Android, 07:07.000 --> 07:08.000 and iOS are talking a lot, 07:08.000 --> 07:11.000 it's pretty easy to fingerprint them. 07:11.000 --> 07:13.000 And that's important. 07:13.000 --> 07:15.000 That's important to give an idea of 07:15.000 --> 07:18.000 the user's way in a passive way. 07:18.000 --> 07:21.000 So in real life, you can use it for 07:21.000 --> 07:23.000 it's a browser fingerprinting. 07:23.000 --> 07:25.000 If you want to make statistics, 07:25.000 --> 07:28.000 policy enforcement, you can decide 07:28.000 --> 07:31.000 by device or type of things they can do, 07:31.000 --> 07:32.000 or they cannot do. 07:32.000 --> 07:35.000 Hopefully you can prioritize the traffic. 07:35.000 --> 07:38.000 So let's say, if there is important traffic, 07:38.000 --> 07:41.000 like streaming, this type of streaming, 07:41.000 --> 07:44.000 I want to give this traffic a priority. 07:44.000 --> 07:47.000 I want to give less priority, let's say, 07:47.000 --> 07:49.000 to a fine transfer to a Dropbox update, 07:49.000 --> 07:51.000 because they can happen slowly. 07:51.000 --> 07:53.000 But this type of traffic, 07:53.000 --> 07:54.000 either it is fast. 07:54.000 --> 07:55.000 So it's reliable. 07:55.000 --> 07:56.000 It doesn't flicker. 07:56.000 --> 07:58.000 All people will not like it. 07:58.000 --> 08:00.000 That is the main thing. 08:00.000 --> 08:02.000 So we are not doing that for spying people, 08:02.000 --> 08:04.000 but there are good reasons 08:04.000 --> 08:07.000 in the network for doing that. 08:07.000 --> 08:09.000 If you want to create a fingerprinter, 08:09.000 --> 08:12.000 there are many tutorials that talk about that. 08:12.000 --> 08:14.000 It looks like it's a fantastic, 08:14.000 --> 08:17.000 super complex thing, but it is not rocket science. 08:17.000 --> 08:18.000 I tell you, the fingerprint. 08:18.000 --> 08:21.000 So basically you have to take some specific attributes 08:21.000 --> 08:23.000 of the protocol you want to fingerprint, 08:23.000 --> 08:25.000 for the traffic you want to fingerprint, 08:25.000 --> 08:27.000 make sure that you ignore. 08:27.000 --> 08:30.000 Attributes that are not important, 08:30.000 --> 08:31.000 or that are random. 08:31.000 --> 08:34.000 So for instance, in TLS, there is an extension called 08:34.000 --> 08:35.000 Greece. 08:35.000 --> 08:38.000 It has been put by that by Google. 08:39.000 --> 08:41.000 You should ignore it, 08:41.000 --> 08:44.000 because every communication has a different type of value. 08:44.000 --> 08:46.000 So if you simply take the payload, 08:46.000 --> 08:47.000 you create a hash, 08:47.000 --> 08:49.000 say this is the fingerprint it's wrong. 08:49.000 --> 08:51.000 So you have to take the information that makes sense. 08:51.000 --> 08:52.000 So for instance, if you want to fingerprint 08:52.000 --> 08:55.000 at TLS communication, you should ignore the domain name, 08:55.000 --> 08:57.000 or the rest you are connecting to, 08:57.000 --> 08:59.000 because it changes for the time. 08:59.000 --> 09:01.000 But I want to fingerprint the client, 09:01.000 --> 09:03.000 I don't want to fingerprint the traffic you are making. 09:03.000 --> 09:04.000 So I want to know, 09:04.000 --> 09:05.000 whether you are using Modela, 09:05.000 --> 09:07.000 file, folks or another application, 09:07.000 --> 09:08.000 or I want to know, 09:08.000 --> 09:10.000 on a very specific factor, 09:10.000 --> 09:11.000 where it's super important, 09:11.000 --> 09:13.000 that nothing has to change. 09:13.000 --> 09:14.000 Like, you know, 09:14.000 --> 09:15.000 an industrial network, 09:15.000 --> 09:16.000 where you make medicaments. 09:16.000 --> 09:19.000 So if you see that a fingerprint of a device 09:19.000 --> 09:21.000 has changed, you have to check whether 09:21.000 --> 09:22.000 somebody has updated the device, 09:22.000 --> 09:24.000 or there is a problem on your plant. 09:24.000 --> 09:26.000 That's very important. 09:26.000 --> 09:29.000 So fingerprint is not just about curiosity. 09:29.000 --> 09:31.000 It's about making sure without inspecting, 09:31.000 --> 09:32.000 going deep, 09:32.000 --> 09:34.000 but things are working as it should. 09:35.000 --> 09:37.000 That's very important. 09:37.000 --> 09:38.000 So it's not rocket science. 09:38.000 --> 09:39.000 For instance, 09:39.000 --> 09:42.000 this is an example of the fingerprint implemented 09:42.000 --> 09:45.000 by NDPI for the TCP stack. 09:45.000 --> 09:48.000 So we take some parameters that make sense. 09:48.000 --> 09:50.000 We try to make, you know, 09:50.000 --> 09:52.000 assumption on the usage. 09:52.000 --> 09:54.000 So we define them in ranges. 09:54.000 --> 09:56.000 For example, it's a typical example. 09:56.000 --> 09:58.000 So you cannot take the single value, 09:58.000 --> 10:00.000 because when you have, 10:00.000 --> 10:02.000 by hope, it can be decreasing. 10:02.000 --> 10:03.000 If it is a range, 10:03.000 --> 10:05.000 it's not the exact value. 10:05.000 --> 10:08.000 And you create this string. 10:08.000 --> 10:10.000 When you create this string, 10:10.000 --> 10:12.000 and then this example of the extension that we 10:12.000 --> 10:15.000 are put through NDPI in white shark. 10:15.000 --> 10:18.000 So you can see the fingerprint on it. 10:18.000 --> 10:21.000 Is it what, what can I do with this fingerprint? 10:21.000 --> 10:23.000 Okay, what's the need beside the hash? 10:23.000 --> 10:25.000 Okay, I'm going to show you that. 10:25.000 --> 10:26.000 So for instance, 10:26.000 --> 10:28.000 looking at the fingerprint, 10:28.000 --> 10:31.000 we can know interesting properties of the device. 10:31.000 --> 10:33.000 Let's have a look for instance, 10:33.000 --> 10:34.000 at Apple. 10:34.000 --> 10:35.000 Okay, everybody thinks, 10:35.000 --> 10:37.000 okay, I buy a device. 10:37.000 --> 10:39.000 It's made by the same manufacturer. 10:39.000 --> 10:40.000 It's a sale. 10:40.000 --> 10:41.000 No, it's not true. 10:41.000 --> 10:43.000 So for instance, if you look at the operating system, 10:43.000 --> 10:44.000 that's interesting. 10:44.000 --> 10:47.000 Also, if we look at the TCP options, 10:47.000 --> 10:50.000 we can figure out what this has been generated by an iPhone 10:50.000 --> 10:51.000 or an iPad. 10:51.000 --> 10:53.000 So you can restrict, for instance, 10:53.000 --> 10:54.000 the network. 10:54.000 --> 10:55.000 Okay, or you can say, 10:55.000 --> 10:57.000 okay, if I want to make my statistics, 10:57.000 --> 10:59.000 this type of device. 11:00.000 --> 11:04.000 For instance, you know exactly if it's a Windows machine, 11:04.000 --> 11:07.000 because Windows machine does not use the timestamping option. 11:07.000 --> 11:09.000 This is used by other operating systems. 11:09.000 --> 11:12.000 So you can create families. 11:12.000 --> 11:14.000 Okay, not for sure say Windows 11, 11:14.000 --> 11:15.000 Windows 10. 11:15.000 --> 11:16.000 This is not possible. 11:16.000 --> 11:18.000 Honestly, it's not possible. 11:18.000 --> 11:19.000 But you can create families. 11:19.000 --> 11:21.000 You can decide where the certain things 11:21.000 --> 11:23.000 should happen or not happen. 11:23.000 --> 11:25.000 It makes statistics. 11:25.000 --> 11:26.000 That's the thing. 11:26.000 --> 11:28.000 And then of course, if you see a Windows machine 11:28.000 --> 11:31.000 that is accessing a lot of Android in your site, 11:31.000 --> 11:33.000 or an iOS site, 11:33.000 --> 11:36.000 there is a problem that doesn't work. 11:36.000 --> 11:37.000 Okay? 11:37.000 --> 11:40.000 And of course, you can use that for protecting yourself. 11:40.000 --> 11:42.000 Let's take an example. 11:42.000 --> 11:45.000 There are two very high-speed scanners. 11:45.000 --> 11:47.000 One is Musk and the other one is Z-map. 11:47.000 --> 11:50.000 So when you see pockets coming through, 11:50.000 --> 11:52.000 okay, and you see those pockets, 11:52.000 --> 11:55.000 you immediately can realize that those pockets 11:55.000 --> 11:57.000 are generated by somebody 11:57.000 --> 11:58.000 that's special. 11:58.000 --> 11:59.000 Okay, socket doesn't have to answer. 11:59.000 --> 12:01.000 I don't know if that you know the answer already. 12:01.000 --> 12:03.000 But anyway, there are no options. 12:03.000 --> 12:05.000 There are not these specific options on those pockets. 12:05.000 --> 12:08.000 Because these guys are standing as fast as possible. 12:08.000 --> 12:10.000 I wait for you to send something back. 12:10.000 --> 12:12.000 So if you see those pockets, 12:12.000 --> 12:13.000 you can immediately say, 12:13.000 --> 12:14.000 I want to stop this guy. 12:14.000 --> 12:17.000 I don't have to go further in my communication. 12:17.000 --> 12:20.000 Because this guy is an attacker. 12:20.000 --> 12:22.000 So it's good for protecting yourself. 12:22.000 --> 12:23.000 This is what I mean. 12:23.000 --> 12:26.000 Without going to deep. 12:27.000 --> 12:29.000 And of course, there are three things that is provided. 12:29.000 --> 12:30.000 This is the most popular one. 12:30.000 --> 12:32.000 Okay, about TLS or quick. 12:32.000 --> 12:35.000 We have seen a lot about TLS and quick before. 12:35.000 --> 12:37.000 In this case, we are thinking of printing delivery. 12:37.000 --> 12:41.000 The TLS in part also the application sitting on top of it. 12:41.000 --> 12:44.000 The most popular one at the moment is called J-A4. 12:44.000 --> 12:47.000 And unfortunately, it's a big crazy. 12:47.000 --> 12:52.000 Because this one, it's an operator with respect to J-A3. 12:52.000 --> 12:55.000 Because J-A3 is not really usable. 12:55.000 --> 12:59.000 Because it was based on the concept that you take certain parameters of TLS. 12:59.000 --> 13:01.000 You put them in order to create the hash. 13:01.000 --> 13:05.000 But recently in 2013, I think, so some years ago, 13:05.000 --> 13:09.000 Google started to shuffle them just to avoid the devices 13:09.000 --> 13:11.000 to be fingerprinting. 13:11.000 --> 13:15.000 So because of that, there are 2,000 fingerprints created out of the same device. 13:15.000 --> 13:19.000 So in S&J-A4, it's sorting them and creating fingerprint. 13:19.000 --> 13:23.000 But the point is that the guy who made it 13:23.000 --> 13:27.000 has created other type of fingerprints that are protected by a patent. 13:27.000 --> 13:29.000 So they want to patent that. 13:29.000 --> 13:32.000 From point to view, from the open source standpoint, 13:32.000 --> 13:33.000 doesn't make any sense. 13:33.000 --> 13:36.000 But it's also a crazy idea to patent, you know, 13:36.000 --> 13:39.000 the objective is red or blue or green from a point to blue. 13:39.000 --> 13:41.000 Anyway, that's my opinion. 13:41.000 --> 13:45.000 So if you look at the J-A4, you will see that it's divided in three parts. 13:45.000 --> 13:47.000 A-B-N-C, okay. 13:47.000 --> 13:49.000 Let's forget A for a second. 13:49.000 --> 13:50.000 Let's take B-N-C. 13:50.000 --> 13:52.000 If you take B-N-C, inside the N-D-P-I, 13:52.000 --> 13:55.000 well created there, you analyze quite some traffic. 13:55.000 --> 13:57.000 So we have created this type of list. 13:57.000 --> 14:02.000 So I know, for instance, if a certain traffic has been created by Chrome, 14:02.000 --> 14:04.000 or by another browser. 14:04.000 --> 14:07.000 Of course, this list will change, 14:07.000 --> 14:09.000 because browser are changing. 14:09.000 --> 14:11.000 So it's a constant, you know, 14:11.000 --> 14:13.000 updates are constant 5. 14:13.000 --> 14:16.000 But it's interesting to understand that data. 14:16.000 --> 14:18.000 To understand which is very substantial, 14:18.000 --> 14:19.000 that's potentially a problem. 14:19.000 --> 14:21.000 Okay, the one, a certain browser, 14:21.000 --> 14:22.000 to run. 14:22.000 --> 14:23.000 This is an instant thing. 14:23.000 --> 14:26.000 And of course, we have integrating a favorite tool. 14:26.000 --> 14:28.000 Why should that can do that? 14:28.000 --> 14:30.000 We don't have a lot of time today, 14:30.000 --> 14:32.000 so I'm going to stop more or less here. 14:32.000 --> 14:34.000 So what I wanted to say is that, 14:34.000 --> 14:36.000 inside the N-D-P-I, inside this library, 14:36.000 --> 14:39.000 there are various fingerprints about various protocols. 14:39.000 --> 14:41.000 From simple one, let's say remote desktop, 14:41.000 --> 14:44.000 okay, or SSH, to more complicated the ones. 14:44.000 --> 14:46.000 So the interesting one, at the end of this talk, 14:46.000 --> 14:49.000 that, again, I have no time to discuss them today. 14:49.000 --> 14:51.000 Again, go into the why should conference, 14:51.000 --> 14:54.000 retrospective, you can see the talk on the video. 14:54.000 --> 14:57.000 It's about encrypted or obfuscated traffic. 14:57.000 --> 15:00.000 So just to make this long story short, 15:00.000 --> 15:03.000 encryption, okay, makes traffic hard to understand. 15:03.000 --> 15:05.000 So theoretically, you should not be able to understand, right? 15:05.000 --> 15:09.000 But sometimes the traffic is encrypted twice, okay? 15:09.000 --> 15:11.000 Well, it's over encrypted, let's say, 15:11.000 --> 15:13.000 so it looks like random data. 15:13.000 --> 15:15.000 Okay, this is the type of information that is happening. 15:15.000 --> 15:17.000 These type of things are happening. 15:17.000 --> 15:21.000 Oh, there are some specific VPN, like Nord VPN, for instance. 15:21.000 --> 15:25.000 They're using special techniques to further obfuscate the traffic. 15:25.000 --> 15:27.000 Okay, this is an interesting thing. 15:27.000 --> 15:30.000 It's in the API library, so it's also able to understand 15:30.000 --> 15:33.000 that the techniques used by Chinese government 15:33.000 --> 15:35.000 in the great China firewall. 15:35.000 --> 15:37.000 So we're also able to understand this type of things, 15:37.000 --> 15:39.000 and to recognize this type of traffic, 15:39.000 --> 15:41.000 which is understand this type of techniques. 15:41.000 --> 15:44.000 Again, for protection, okay, not for attack. 15:44.000 --> 15:47.000 Final slide, we're organizing a conference 15:47.000 --> 15:49.000 that is somehow a mix between, you know, 15:49.000 --> 15:52.000 the community of the community from Wayshire, 15:52.000 --> 15:55.000 meet in Zurich, in Switzerland, in May. 15:55.000 --> 15:59.000 There are some speakers here today that we also speak. 15:59.000 --> 16:01.000 So with some of you, it's willing to attend 16:01.000 --> 16:03.000 in Central Europe that would be great. 16:03.000 --> 16:06.000 Thank you very much for being here today. 16:06.000 --> 16:08.000 Thank you. 16:12.000 --> 16:14.000 Any questions?