00:00:00.067-->00:00:04.771 >>Hi Defcon! We gonna make this fast, this is a short talk. So. I'm going to just, er, get them 00:00:04.771-->00:00:09.776 rollin'. Please come in find a seat, erm, and, er, enjoy your talk. Without further ado this 00:00:11.879-->00:00:16.884 is "Haystack" and "Six Volts" er, let's give them a round of er applause. [applause] Alright, 00:00:20.621-->00:00:26.360 go guys! [applause] >>Hi there, I'm "Six Volts" >>And I'm "Haystack" I'm "Haystack" >>And 00:00:26.360-->00:00:31.365 we're going to be talking about cheap tools for heavy trucks. So there's a lot of differences 00:00:35.035-->00:00:38.305 between cars and heavy trucks and we're gonna be talking about some of those. We're also going 00:00:38.305-->00:00:43.744 to be talking about the R&D problems we face and we got around them. >>And er, we're 00:00:43.744-->00:00:47.748 also going to do some very preliminary stuff about, er, networking protocols and 00:00:47.748-->00:00:51.952 standards; there's a lot to go over so we're just gonna dump it all on a white paper for you to 00:00:51.952-->00:00:56.523 read if you really care that much. Er, we're also going to go over a new hardware tool that we 00:00:56.523-->00:01:01.028 built, er, that should save you some money if you start, start getting in, in to truck hacking 00:01:01.028-->00:01:06.033 and also go over some some light truck hacking adventures, er, that we've had. >>We put some 00:01:09.403-->00:01:12.406 quick notes...we're going to assume you're familiar with basic vehicle networking. If 00:01:12.406-->00:01:16.643 you're not google it, er, I assume you're familiar with the idea that if you get on the CAN 00:01:16.643-->00:01:20.347 bus you can do bad things. We are leaving out lots of details that are going to be in the 00:01:20.347-->00:01:25.419 white paper, erm, check the GitHub at the end of the week, erm, and a safety disclaimer, if 00:01:25.419-->00:01:29.923 you hook up to truck and start fuzzing while its moving bad things could happen, don't do 00:01:29.923-->00:01:36.463 that, we're not responsible if you do. >>We have done that. Do as we say not as we do. So, er, 00:01:36.463-->00:01:41.635 trucks as we talk about them are really any big, anything with a big with a diesel engine in it. 00:01:41.635-->00:01:45.405 Er, the thing that most people are familiar with are semi-trucks, er, class eight 00:01:45.405-->00:01:50.911 over the road vehicles, but also dump trucks, wreckers, marine engines, generators, big 00:01:50.911-->00:01:56.283 generators, er, agricultural equipment – anything like that is all going to work largely the 00:01:56.283-->00:02:02.322 same way and is going to be made by the same people. Um, an exception of the diesel pick- up 00:02:02.322-->00:02:08.095 truck, so if you see Baba in his, er, commons Dodge Ram, er, that's just going to act, going 00:02:08.095-->00:02:14.201 to act like a regular, regular passenger vehicle. >>So many of the components that are in 00:02:14.201-->00:02:19.606 trucks, um have to be interchangeable. So you can get a Peterbilt truck with er, a 00:02:19.606-->00:02:24.444 Paccar engine or with a Cummins engine and you used to be able to get one with a CAT engine, um 00:02:24.444-->00:02:28.615 so that – all of those parts have to work inter-operably like that brake controllers come from 00:02:28.615-->00:02:33.587 different vendors, the engines, the transmissions. So, they've had to agree to this standard so 00:02:33.587-->00:02:38.158 that all the electronics can speak to each other and the truck can actually work. >>So 00:02:38.158-->00:02:42.529 one of the major differences with heavy trucks is, er, if you do anything with passenger 00:02:42.529-->00:02:46.466 vehicles a big part of your job is reverse engineering the protocol because every 00:02:46.466-->00:02:52.105 manufacturer has their own thing. Er, with heavy trucks with big diesels, that's all 00:02:52.105-->00:02:56.143 been decided upon by the society of auto motor engineers beforehand and it saves you a 00:02:56.143-->00:03:00.280 lot of time. Er, so may have read something in Wired recently that those guys just took a 00:03:00.280-->00:03:04.785 standard and injected traffic and sure enough they were able to cause unintended braking and 00:03:04.785-->00:03:09.790 acceleration. >>So I'm going to talk a little bit about the telematics attack surface. Most 00:03:12.059-->00:03:17.898 heavy trucks that are out on the road in, in a fleet have a dash mounted, touch screen that 00:03:17.898-->00:03:22.135 controls the driver's logs, navigation, gives them a way to communicate with the fleet. 00:03:22.135-->00:03:28.508 Kinda like email and in, in emergencies, contacts the fleet and allows, er, the truck driver 00:03:28.508-->00:03:32.579 to talk back to them. Erm, they use the cellular network to connect to the, er, telematics 00:03:32.579-->00:03:37.584 provider and the fleet and these devices connected directly to the CAN J1939 bus, erm also the 00:03:40.120-->00:03:44.925 the Legacy 1708. Many of them run embedded versions of Windows, like Windows CE are XP 00:03:44.925-->00:03:50.730 embedded, um, that's kinda scary to me. >> Talk about how we... >>Yeah we've had some luck with 00:03:50.730-->00:03:57.037 routing them, doing things like popping an SD card under the back. >>Er, so a big problem 00:03:57.037-->00:04:01.441 that we had when we started getting into this is: trucks are expensive. A, so like a freight 00:04:01.441-->00:04:06.480 liner cascading, or something like that can cost like over a hundred grand – erm, ouch, I do 00:04:06.480-->00:04:11.751 not have that kind of money, er and for the, for the aspiring hacker, even if you are rich, 00:04:11.751-->00:04:17.591 they are big, hard to store, hard to drive, er, I can drive a five speed, a six speed, a one 00:04:17.591-->00:04:22.696 down four up speed, er but I can't drive a fourteen speed. Erm, and they are also expensive 00:04:22.696-->00:04:27.100 to operate. Er, so we, we didn't have one, and we still don't, we are trying to get one, er, so 00:04:27.100-->00:04:32.105 how do we experiment? We built this thing. >>We call this the Truck in a Box. [laughter from 00:04:36.009-->00:04:40.447 audience] so this a bunch of components out of a heavy truck. Erm, the engine control module, 00:04:40.447-->00:04:44.818 the instrument cluster and there's a couple of other things hiding in the back there... a 00:04:44.818-->00:04:48.788 power distribution unit and a national instrument [inaudible]. We quit using that, but. And the 00:04:48.788-->00:04:54.528 knobs are a bunch of a digi-nomitors of sensors. Erm, the first one took about six 00:04:54.528-->00:04:59.232 months to build and cost about ten thousand dollars, but that's still – >>Thanks DARPA 00:04:59.232-->00:05:03.270 >>[laughs] but that's still a lot cheaper than the cost of a truck. Erm, since then we built 00:05:03.270-->00:05:08.175 over a dozen of those false size ones for different trucks and engines. Erm, we later 00:05:08.175-->00:05:12.279 compressed the concept into the size of a circuit board, but that's not pretty, so we're not 00:05:12.279-->00:05:19.186 going to show it off. >>Er, so the concepts of the truck in a box, um, we wanted to recreate 00:05:19.186-->00:05:22.355 the vehicle networks including J1939 and J1708. J1939 is built on CAN and J1708 is kinda RS485, 00:05:22.355-->00:05:27.360 it's similar to J1850. Erm, it, it also fakes passenger sensor signals so, er, usually oil 00:05:27.360-->00:05:32.365 pressure sensors in tanks and temperature sensors and things are just of, they just measure 00:05:40.874-->00:05:45.845 voltage or resistance in ECMs, we the engine control module tends to freak out of those 00:05:45.845-->00:05:51.084 things aren't pres, aren't present. So, we're just trying to keep it from freaking out. 00:05:51.084-->00:05:55.322 >>Some of the more complicated signals are things like the accelerator pedal and the way 00:05:55.322-->00:06:01.394 the, the vehicle measures its road speed. This is the, a a tone ring, it's on the back of 00:06:01.394-->00:06:06.800 the tail shaft underneath the truck. Erm on the left here we got the actual sensor and that 00:06:06.800-->00:06:13.707 tone ring spins past that sensor generating a magnetic field so, so we hook one up in a vice and 00:06:13.707-->00:06:17.811 put the sensor next to it and then you get this kind of signal. So we are re, RE that 00:06:17.811-->00:06:21.414 signal figure out and characterize it. Play it back to the ECM, and we can actually put 00:06:21.414-->00:06:27.954 miles on the truck on a bench. >>See, I already talked a little bit about the two main, er, 00:06:27.954-->00:06:32.959 networking protocols and the er J1708, like I said is RS485-ish and 9600 baud there are some 00:06:36.196-->00:06:41.101 slight transceiver differences. And then there's also another SAE standard called J57 that 00:06:41.101-->00:06:46.339 specifies everything all the way up to the application layer. J1939 is similar, but it's built 00:06:46.339-->00:06:52.112 on 250 K CAN, er, if you're into this, you know the passenger cars are 500 K. Er, we also see 00:06:52.112-->00:06:58.952 ISO15765 but only for diagnostic comms. Details on white paper like all the different protocol 00:06:58.952-->00:07:03.156 details if you wanted to write your own implementation. Er, we should be, we should, we should 00:07:03.156-->00:07:08.161 be able to give you enough information to do that. >>So for J1708, the older protocol 00:07:10.964-->00:07:17.270 messages are timed limited and you got these things called MIDs and PIDs. >>The MID, er, is is, 00:07:17.270-->00:07:22.242 analogous to the CAN ID first byte and it tells you who on the network is talking and the PID 00:07:22.242-->00:07:27.113 er, is come right before any data, er, on a, in a message. And it comes, so, PIDs and data 00:07:27.113-->00:07:31.951 come after the MID and unpacking those PIDs and the data is how you figure out how what messages 00:07:31.951-->00:07:36.956 say. >>Um, mostly older trucks will have only J1708, er, there was a period where, where they'd 00:07:43.396-->00:07:46.966 have the both networks J1587 and J1939 at the same time. Erm, some newer ones will have 00:07:46.966-->00:07:51.971 components that use it, er, and then are also these things called gliders. Er, if you're a 00:07:55.008-->00:07:59.946 hot rod builder you'd know a rolling chassee, people will, will order a, um, a truck with 00:07:59.946-->00:08:04.484 no motor in it. And the reason is, it's ,er, ignitions regulations go by the date of 00:08:04.484-->00:08:09.422 the manufacture of the motor and not the date of the truck. So, they'll have everything but the 00:08:09.422-->00:08:13.426 motor made. And these things will last for two million miles pretty easily, so we'll put the 00:08:13.426-->00:08:20.400 older motor in it. So you may see new trucks with old networks and old engines in 'em. >> So 00:08:20.400-->00:08:26.539 J1939 is the newer protocol and it's based on a 250K CAN, it's got extended IDs that are 29 00:08:26.539-->00:08:32.345 bits long instead of 11 bit IDs that are like in cars. Erm, sometimes, er, they have some 00:08:32.345-->00:08:36.883 basic specs for source and destination but those aren't enforced, erm, there's address 00:08:36.883-->00:08:40.920 management, there's a transport layer, message fragmentation... There's about a dozen different 00:08:40.920-->00:08:44.023 documents that are, that you can read through they're probably published by SAE, but they're 00:08:44.023-->00:08:48.728 all kind of thick. There's a couple of parameter group numbers, which is like a message 00:08:48.728-->00:08:54.067 type that are reserved for proprietary communications and those are the fun ones. >>And 00:08:54.067-->00:08:59.606 then also, erm, there's the vehicle diagnostic wing connector which is called a DLC 00:08:59.606-->00:09:04.210 or DLA. This, this industry is ter- terrible with acronyms so there's like always five 00:09:04.210-->00:09:09.549 acronyms for the same thing. Er, it's similar to an OBD2 scan tool in a passenger car, also 00:09:09.549-->00:09:14.988 it's OBD: On Board Diagnostics like not O-D-B who is a founding member of the blue tank 00:09:14.988-->00:09:19.993 clan...people mess that up constantly and it drives me a little nuts. Um, it's basically 00:09:22.162-->00:09:27.167 a USB slash serial slash Ethernet to J1939 and to J1708 bridge. These things are 00:09:29.235-->00:09:34.641 incredibly overpriced. They come in at like $700-$800 dollars and it's seriously just like I 00:09:34.641-->00:09:38.578 converted one thing into another thing and it's two chips that they bought from someone else 00:09:38.578-->00:09:43.583 and soldered them on to a board. Um, the, er, RP1210 is a standard that governs functions 00:09:45.685-->00:09:51.524 exposed by their drivers, so observing those driver calls is an excellent strategy for 00:09:51.524-->00:09:56.396 dynamic analysis OME software because they're always the same name and they always have the 00:09:56.396-->00:10:01.968 same arguments in the same format. So you can sort of get a running analysis of what the 00:10:01.968-->00:10:06.973 different software packages are doing at various stages, erm some ECM interaction. >>So, 00:10:09.709-->00:10:14.547 we're releasing a new tool called the Truck Duck. It's the cape for the BeagleBone. It 00:10:14.547-->00:10:19.118 gives you two CAN channels and J1708 channels. So you can do things like message filtering, 00:10:19.118-->00:10:24.123 recording, er simulating an ECU. Ah, we've also got a custom OS image with the J1939 kernel 00:10:26.226-->00:10:32.866 extensions built in, er, and er he, Haystack wrote some stuff for, er, using it in Python. 00:10:32.866-->00:10:38.605 He's also, er, written a J1708 implementation in the BeagleBone PRU which is amazing. Like 00:10:38.605-->00:10:44.577 little built in micro controllers for on the thing and, er, this is what it looks 00:10:44.577-->00:10:50.750 like. Erm, over on the right hand side I've got diagnostic link connector, it's the big 00:10:50.750-->00:10:55.755 DV15. Um, two split terminals, there's the green guys and power circuitry so that you can power 00:10:58.358-->00:11:03.296 it from the bus. >>So, er, another thing that that we released is, erm, an RP10 00:11:07.534-->00:11:13.573 tracer. So for a while when would reverse engineer what the the software packages were doing 00:11:13.573-->00:11:17.510 and when we were trying to reverse engineer the proprietary, er, protocols the 00:11:17.510-->00:11:21.915 best option was to buy a diagnostic wing connector whose driver has debug logging 00:11:21.915-->00:11:26.586 capabilities so you would flip a little switch in the driver software and it would say, you 00:11:26.586-->00:11:31.024 know: "I sent this, I received this, received this, sent this," um, the only, the only known, 00:11:31.024-->00:11:36.529 the only one we know of cost $700 like the Cadillac of DLCs. Er, that can be a lot of money 00:11:36.529-->00:11:41.834 for some people, especially if you're just doing bench testing on any CM that you got a junk 00:11:41.834-->00:11:46.839 yard some place. Like us. Um, I wrote a RP1210 API tracer that logs results of RP1102 function 00:11:48.975-->00:11:55.815 calls so you're not dependent on the Cadillac of DLCs anymore. And, er, it works with any of 00:11:55.815-->00:12:02.522 them, including the cheapie made clones for the all of two weeks that they work. And er, it 00:12:02.522-->00:12:07.994 allows you to decrypt and translate on the fly and when we get kinda into the, er, what we 00:12:07.994-->00:12:12.999 did with this stuff section, er, you'll see that a little bit. Erm, so what is it good for? All 00:12:15.768-->00:12:21.174 that stuff I just went through, er, all that and a buck could get you a cup of coffee, er, 00:12:21.174-->00:12:28.047 like ten years ago. So, er, what, what can you actually do with this? Uh, so we, we wanted 00:12:28.047-->00:12:34.253 an attack and we wanted to have a viable attack that can actually have some conceivable 00:12:34.253-->00:12:40.960 impact in the real world, er, but we didn't have a truck, so, this this presents an issue. If 00:12:40.960-->00:12:45.398 you're not driving something it's very difficult to tell when brakes are applied when you have 00:12:45.398-->00:12:51.437 no actual brakes. Er, so we needed something that we could do invetro and, er, the solution 00:12:51.437-->00:12:56.442 was malicious ECM misconfigurations. So reverse engineer the protocol, um, yeah, 00:12:59.245-->00:13:05.485 reverse engineer the protocol and then modi – send messages using that protocol to, er, to 00:13:05.485-->00:13:10.490 misconfigure the DCM. >>Um, so most of the parameter configuration is done over 00:13:14.260-->00:13:19.766 proprietary protocol extensions, um, we promised not to give too many specifics out, um so that, 00:13:19.766-->00:13:24.337 you can't do very bad things to trucks that are on the road, that would be pretty dangerous. 00:13:24.337-->00:13:28.675 Um, we're going to give a demonstration of what is possible with the Truck Duck and 00:13:28.675-->00:13:35.214 the AP to I tracing. So this is some proprietary traffic. You can see the the messages here. 00:13:35.214-->00:13:41.154 >>I'll point and you talk. >> So, we can, er, see the F. E. there in the middle, that 00:13:41.154-->00:13:45.792 indicates that this is a proprietary message, and, and that's what you really want to 00:13:45.792-->00:13:49.829 look for. And the message down at the bottom is just a, a something regular for when you 00:13:49.829-->00:13:54.834 cross the bus. >>So, initial notes from analysis from this protocol, um, the same process, 00:13:58.171-->00:14:02.008 clicking the same buttons in the software, yielded, yielded different network traffic every 00:14:02.008-->00:14:07.013 time. So, this stuff was actually obfuscated slash encrypted, um, which, which is 00:14:09.182-->00:14:13.653 kinda unusual. A lot of the different manufacturers including newer ECMs, very new 00:14:13.653-->00:14:18.658 one, they're not encrypted or, or disguised in any way. Um, messages that appear to do the 00:14:21.227-->00:14:26.365 same thing with the same length so it's not too obfuscated, no ones patting to a block length 00:14:26.365-->00:14:31.838 or stuff, it's simple, simpler. And, er, this is where a lot of yada yada yada passed a bunch of 00:14:31.838-->00:14:36.709 static analysis I did with dot peak and IDA because this is Defcon and don't want to try to 00:14:36.709-->00:14:41.714 teach pros how to use dot peak and IDA. So, so, er, after doing static analysis I figured out, 00:14:46.319-->00:14:53.025 the, what the bytes after the first three are. The first three are specified by SAE. Er, the 00:14:53.025-->00:14:58.598 first byte, first byte is the source. The second byte says: "Hey, this is proprietary and 00:14:58.598-->00:15:02.468 it's interesting". The third byte says: "This is the destination". In this case, this 00:15:02.468-->00:15:07.907 is the DLC talking to the engine. This next code is proprietary and that's a 00:15:07.907-->00:15:12.912 security set up. And then, that, this low level over here, er, on both ends, these are kinda 00:15:15.615-->00:15:20.386 degenerate keys. There's obviously not a whole lot of entropy in a four bit key but 00:15:20.386-->00:15:22.388 that's what they got. And er that, they pre- share that in order to carry out the rest of 00:15:22.388-->00:15:24.390 the protocol. So then, er, I found other commands codes, so this high level, F was the 00:15:24.390-->00:15:26.392 security set up, D is an encrypted write, C is an encrypted read and then E is an 00:15:26.392-->00:15:28.394 encrypted read-write response. So no matter if it's responding to a write or a read, it's going 00:15:28.394-->00:15:30.396 to be, er, that that, that's going to be the format of the reply. The low level is the 00:15:30.396-->00:15:32.398 message code and then there's this little formula where you take the pre-shared four bit 00:15:32.398-->00:15:34.400 super high entropy key add it to the code in the message mod four and it indexes into a character 00:15:34.400-->00:15:36.402 array, er, that's buried in a DLL some place. And then you just x0 it with every thing. 00:15:36.402-->00:15:38.404 It's x0 encryption made slightly less bad. So then, er, after we decrypted, I modified the RP1210 00:15:38.404-->00:15:40.406 API tracer to decrypt all this on the fly. And then, er, the pattern became a lot more, er, a 00:15:40.406-->00:15:44.610 lot more comprehensible. You can see that's it just a very standard call-and-response type 00:15:44.610-->00:15:48.648 protocol where you have a PID and then it says: "Hey, you know, 60, I wanna see that," you 00:15:48.648-->00:15:53.653 get a bunch of ask key characters, I have to look up what that is honestly. And so, 00:16:43.236-->00:16:48.608 er, what could we do with this? So, now that, now that we have this, this degenerate encryption 00:16:48.608-->00:16:54.213 algorithm and we know the PIDs and we can trace this stuff, erm, if we get on the bus we can 00:16:54.213-->00:17:01.087 set parameters in the ECM. So, er, the one that we chose was, er, park vehicle speed limit, 00:17:01.087-->00:17:06.292 so, er, the governors in heavy trucks are just, just a byte that you write and so we 00:17:06.292-->00:17:10.096 thought: "Hey, wouldn't it be cool if we like just froze a semi truck and like only being 00:17:10.096-->00:17:14.033 able to go thirty miles an hour?" But that's, that's still kinda boring because if you can 00:17:14.033-->00:17:17.503 get on the bus physically, if you can get physical access, you can just cut the brake lines, 00:17:17.503-->00:17:22.508 um, you, you could compromise a telematics unit and then have it send these, er, messages during 00:17:24.510-->00:17:30.783 a key on - engine off condition but we wanted, we wanted to do a little bit more. So then, er, 00:17:30.783-->00:17:37.056 hijacking er OEM software, er, software's used in day to day operations of the fleet, um, all 00:17:37.056-->00:17:42.995 that dat- we've talked about fleets being data hungry before, er, and as a result they are 00:17:42.995-->00:17:48.000 pulling data off these ECMs after every trip in, in many cases, and er, that data, er, or 00:17:52.672-->00:17:57.109 when...so they're always pulling this data and so, unlike where a passenger car was throwing a 00:17:57.109-->00:18:01.347 check engine light and the dealership's putting it on a scanner, um these things are 00:18:01.347-->00:18:05.618 interacting with software all the time. And so there, er, are a lot of opportunities for 00:18:05.618-->00:18:10.623 things to change. So, I repurposed the API tracer, um, so instead of just decrypting 00:18:14.026-->00:18:18.965 and logging things on the fly, er, modifying, re-encrypting and rewriting. So let's see what 00:18:18.965-->00:18:24.370 that looks like. Um, this is a screen cast because showing the full ECM would give away the 00:18:24.370-->00:18:27.974 brand and I'm really bad at video editing also I'm very sorry about the Free Version 00:18:27.974-->00:18:32.979 trade mark, this stuff as expensive and this is on my own dime. Okay, so at the beginning 00:18:36.649-->00:18:41.654 I started the kinda degenerate truck route kit. I very artfully blacked out the manufacturer, 00:18:44.090-->00:18:49.095 er, logo. This protocol is very slow so I'm going to try to patter a little bit while, 00:18:52.498-->00:18:57.503 while, while it's getting set up. So here you can see the, er, vehicle speed was at 55 miles an 00:19:08.981-->00:19:13.319 hour. Our hypothetical technician knows his drivers can't drive 55 so he decides to 00:19:13.319-->00:19:18.324 mark it up to 70. And as far as anyone can tell, er, that that went fine. It was set to 70 00:19:22.928-->00:19:27.933 miles an hour. And then, after disconnecting, we go and check and make sure that, er, that the 00:19:30.536-->00:19:35.541 truck mangle program is dead and so then we actually see what happened. And again we wait for 00:19:38.344-->00:19:43.349 the slowest vehicle protocol in the world. [inaudible]. For those who didn't hear the joke 00:19:57.196-->00:20:02.201 he made: Lin is in fact very slow. There, so we can see that in fact it was actually set to 00:20:08.407-->00:20:14.447 thirty miles an hour and this guy would have gotten about a mile down the road and, er, and 00:20:14.447-->00:20:20.686 and would have had to realize that he had to turn back and if you kee- if you manage to keep 00:20:20.686-->00:20:26.358 this running and get persistence, um, there'd be no way to tell. So they would be 00:20:26.358-->00:20:30.696 checking the mechanical issues over and over. So I think, this is a very viable, er, attack 00:20:30.696-->00:20:36.769 with real impact. >>So for future work, we're gonna work on writing an RP1210 driver for the 00:20:36.769-->00:20:41.140 Truck Duck to allow easier traffic modification. It's even cheaper than some of the E-bay 00:20:41.140-->00:20:46.045 adapter clones you can get. Um, we also wanna work on making the PC side attack a little more 00:20:46.045-->00:20:49.181 interesting so that the technician doesn't have to actually modify the parameter, 00:20:49.181-->00:20:53.419 it can just do it at once when they connect to the truck, um we'd really love to do some 00:20:53.419-->00:20:57.590 deeper firmware analysis on the ECMs you know, pull some chips, read some data, do some static 00:20:57.590-->00:21:02.528 analysis. Um, we'll be in the hardware hacking village and car hacking village if you have any 00:21:05.064-->00:21:10.703 questions, um... >>We'll also have an ECM and a bunch of live demos of this stuff, so it's not 00:21:10.703-->00:21:14.707 just a stupid screen cast with a watermark on it, you can actually play with with er this 00:21:14.707-->00:21:19.712 technology. >>Thank you very much. [applause]