My personal blog about stuff I do, like and I'am interested in. If you have any questions, feel free to mail me! My views and opinions are naturally my own and do not represent anyone else or other organizations.

[ Full list of blog posts ]

Blogging temporarily suspended

posted Nov 4, 2015, 11:37 AM by Sami Lehtinen   [ updated Nov 4, 2015, 11:37 AM ]

Now I got one project, that really needs my full attention. Blogging is suspended until it is done, whatever it is. There will be several mega summary posts when I'm back.

Generation IV reactors, multi-tenancy, Queues, DLL, Projects, Axis Mundi, Distributed Data

posted Nov 1, 2015, 5:35 AM by Sami Lehtinen   [ updated Nov 1, 2015, 5:36 AM ]

  • Checked out Generation IV nuclear reactor designs
  • Watched a documentary about CRISPR-Cas9, that's great genetic engineering future promise.
  • Lot of discussion about different models how to implement multi-tenancy efficiently on different applications. Sorry, no more details about this being published. But it was a long and good discussion. It's so important to consider multiple aspects and get the level and implementation of multi-tenancy right so it won't bring secondary problems. In this case we're talking about especially challenging complex environment, not the daily CRUD stuff where multi-tenancy is quite simple stuff to implement.
  • Even more discussion about peer to peer / federated / distributed / decentralized networking (whatever you want to call it), databases, data expiration, integrity and distribution (routing, storage, caching), flow charts and processes. Also lot of discussion how proxy, relay, friend, buddy (call it with whatever name) should work. - Sorry, private conversations, this time I'm not even going to quote my-self.
  • Checked RabbitMQ, ZeroMQ (ØMQ) and snakeMQ. Once again, I'm going to embrace the simples solution which fulfills the know need. So I did select the snakeMQ for my project. So when running a cluster / multiprocessing, this snakeMQ allows me to easily communicate between processes without really caring if those run on same host or on some of the other hosts. Of course I could have simply used Python's native BaseManager from multiprocessing. I've also write a little test application using base manager and a few clients.
  • Also made my first Python application which successfully calls and returns data from Microsoft Windows Dynamic-Link Libraries (DLL) files using ctypes. There were some minor snags and traps when doing this, but after I got it all straight, it's very easy.
  • Projects like Freenet were technically successful but still failed to reaches any meaningful user base outside very limited circles.
  • I'm a tech guy, and I really acknowledge this risk. Do something to see if it technically works. When you have decided yep, it works. It's done and left there.
  • It requires business side and community traction to be able to take it any further. It seems that most of developers fail hard that that point. Hacker News and GitHub are full of such stories & projects.
  • Projects like 7-Zip (7zip) and GnuPG (GPG) are rare occurrences where small dedicated team / person(s) just keep pushing the stuff for years, even if there's potentially no compensation for it at all. And it's very technically demanding, hard, complex and sure gives more than enough challenge. So it's not just playing in the park. I think I've gotta do a donation for both projects again, it's worth of it! It would be nice to check what's the percentage of GitHub projects being actively supported and maintained after 10 years. I'm personally still maintaining some business critical software written 15+ years ago for a few customers.
  • Some thoughts about Axis Mundi project - I think I missed quite many things from the Wiki and documentation Readme, like temporary message storage when nodes aren't available and the most important and hard part, routing if and when number of users explode. I've been thinking deeply and in technical terms about mesh networking and DHT stuff. Which all basically comes to this same issue. How to make things scalable, efficient and still responsive enough without requiring too much bandwidth or computational resources or storage. my conclusion is that  I've suggested model where mesh would be used when it's viable or no alternative is there. But the primary routing should go over Internet and or some main routing service. Without that kind of shortcut transferring data via mesh would be very slow and require so much power & routing resources that it would basically kill the network. Worst part of mesh networking with mobile devices is that the network routes are in more or less constant shift, which adds really considerable amount of route management work. Maybe at night network is somewhat stable, but what when people head to work and offices? Either the network collapses and performs extremely badly for a while or it would just require a lot of resources to keep the network and routing updated, which costs energy aka kills your battery.
  • A Lot of thoughts for one project how to coordinate distributed data updates where data is getting updated at high intervals. Distributed stuff is very good and easy for caching static things, but when data starts getting volatile things start getting way more complex. As it has been documented for large distributed databases, which Google is using etc.
  • Something different, checked out MGM-140 ATACMS

Email delivery, mobile payments, TCP, UDP, BitMessage, OpenBazaar, CyberWar, Let's Encrypt and more

posted Oct 24, 2015, 9:21 AM by Sami Lehtinen   [ updated Oct 24, 2015, 9:22 AM ]

Wow, what a wall of text. But I've been busy during the last week evening and weekends.
  • Investigated a few email delivery platforms and also tested those with my own code as well as existing Python libraries. Services tested were MailGun and SendGrid, I liked both. Yet MailGun was faster to setup, SendGrid required additional message to their support before account activation. Actually they haven't returned since. That's sad, because I would have preferred SendGrid over MailGun because they've got European servers and due to that fact latency is 20x less to their API than to MailGun's but no can do, if they won't let me to use their service.
    Both services are also American, I would prefer fully European alternative. I could naturally run my own SMTP outbound service aka postfix. Actually I'm already doing so, cloning and modifying a few parameters in configuration would be pretty trivial. I just wanted to see what these services provide as extra value. The extra value comes mostly from webhooks and handling incoming email, sending email is just so easy. Another question is of course the mail deliverability aspect. My own mail server could send walls of mail directly to spam folder, even if the users have to a) subscribe for those mails and b) confirm their email address before any content is actually getting delivered. I studied MailGun API in detail, and I'm currently testing my own code against it which took a bit more time than configuring postfix and making a script to handle bounced mails, so I don't think it's a big win if you're already experienced email system operator.
  • Worked also with yet another mobile payment integration. This is different case than the one mentioned in last post. More fun, more integrations, business as usual. We'll get it done. It's interesting how different the process charts can be for these two separate systems. Another got multiple steps and the other, is very simple and clean API.
  • I just mentioned earlier there's that one integration case which will be interesting or desperate. It's turning out to be just fine. Technically the case has been just the usual kind of case. All the typical 'project issues' there. Communication, access, clarity of goals, how things should be done and so on. Nothing new, business as usual. We'll get it done too, but it'll just takes time when you don't have full access to all the systems which need to be configured or dealt with.
  • Participated in one of the endless TCP vs UDP discussion - UDP is better than TCP, if done "well" but that "well" is quite challenging. Check out QUIC it's HTTPS implementation over UDP, because it's faster. Yet it's very complicated. This discussion UDP vs TCP is never ending, because there are just so many details that can be tuned. Bad UDP implementation is bad, state of art UDP implementation is probably better than TCP.
    It's bit like that my custom database is faster and better than any existing database technology, in one very specific case which we have been tuning it with large team for several years. But for some strange reason many people still opt to use standard NoSL / SQL databases for many purposes.
  • Flood casting networks won't scale and that's not news. Ethernet broadcast storms and good old Gnutella. I started to study P2P applications immediately when Gnutella was out. Napster wasn't real P2P application because it used centralized coordination server. Gnutella used flood casting and it was immediately a problem when more nodes showed up than the network could handle. And that wasn't much.
    BitMessage works similarly, instead it uses TTL time instead of TTL hops compared to Gnutella. I was quite annoyed when BitTorrent told that DHT would be something new, trackerless. Blah blah, when there were stuff like ED2K and other apps which had used DHT for ~10 years at that point.
  • Helped a friend with multi-tenancy system configuration. I've seen so many systems which lack efficient multi-tenant operation mode. Running parallel instances of same application, especially if those use DHT to partially redundantly publish same data is huge waste of resources. Also the constant coordination, republishing etc DHT traffic wastes even more resources. It's better to have proper multi-tenancy mode which allows efficient handling of multiple clients, instead of running individual instances of application and even the operating system (when using full VM, and not using docker or similar light isolation) for multiple users.
  • Decentralized Reputation in OpenBazaar part 2 - There are just so many things to be considered in P2P on-line trading automation process. - I've been reading some details for hours. It's easy to forget that distributed processing is very complex thing, when you assume the situation where you can't trust others or the network and have to think about all potential attack vectors. What if the parties whom signed the contract modify it later, you'll need time stamps and repeated nested signatures etc. Making thing more like a blockchain internally.
  • The CyberWar lession series didn't contain actually any information that I wouldn't have known earlier, all the usual basic stuff was yet explained in detail. So it's more like a good tutorial for n00bs. Cyber Terrorism, Covert Sabotage, Cyber Threats, excellent way of attacking key infrastructure. Because computers do control things in the real world. It's truly IoT, Internet of Targets for offensive cyber weapons. Malware, RAT, 0 day, Cyber Attacks, PLC, Power Grid, Factories, Power plants, Chemical plants, Critical Infrastructure. Destroying electric generators, transformers and all kind of key infrastructure remotely and covertly. I've so often hearing people to ask if it's connected to Internet, but they forget that their operations can be bought to halt also by disabling electricity or water systems. Of course the dependency of Internet services has been going up and up, and will be doing that for foreseeable future. They also mentioned stealing cookies,that just sounds always so much fun! Can you reach the cookie jar? Nowadays most of payment systems also work over public Internet so if the network is brought to halt, the society will grind to halt too.
  • This Cybersecurity is once again a topic like the 'underground Internet markets' which is extremely deep. Anyone can lightly cover it in a hour, but going into details, will take years and years of actual daily operative experience and that's not all, it's even really recommended to also send your free time ti keep updated. Being expert isn't being only being expert at work.
  • How NSA is breaking so much encrypted traffic? - Nice post. So they've have precomputed some large primes and many programs only generate one of large prices used in DH equation leading to weakening of security. But it's also great performance optimization, with cost in security. - NSA Diffie-Hellman (DH) prime weakness used to breaking DH based cryptography. When standard DH parameters are being used. Once again performance optimization has fired back, because using a few primes as one pair of large primes improves performance, yet makes it of course less secure when one part of equation is already pre-known. That's the price to pay when using 'fast' ephemeral DH key generation. There are reasons why some programs generate DH keys a lot faster than others. I've been also using 4096 bit DH keys for a long time. Yet I would prefer 521 bit ECC, as soon as OpenPGP supports it. Yet, Elliptic Curve Cryptography is just logarithm-family cryptography on a different finite field than modular arithmetic.
  • Let's Encrypt is now trusted. - When it comes time to renew my cert, I guess I'll be switching from StartSSL to Let's Encrypt. As well as I can use it for many other servers too which now got self signed or even expired certs. We actually automatically or manually check hash for those certs, so it's not insecure at all. Actually using public keys hash is much more secure than using cert.
  • Estonia E-residency (eID,, electronic-id) makes it possible to create company on-line and soon it's possible to open bank accounts also. I'm following the project but I haven't yet personally applied for e-Residency, maybe I should next time when I visit Estonia.
  • Studied more details of international black markets and underground anonymous & pseudonymous on-line trade. Lot of good and interesting stuff there. Darkweb, deepweb, darknet, deepnet, dark net, deep we, Tor, I2P and others.
  • One long discussion said that Internet of Things will give super powers. Yeah sure! Internet of Targets will give super powers to crackers, spies, criminals and all above to intelligence agencies. - Does that still sound awesome? Well, it depends what you're planning to do.
  • Mapped out bunch of charting libraries as well as different responsive light web frameworks.
  • Read a document and long discussion how to send emails which improve customer engagement with SaaS products. Lot of tricks there. [Welcome Emails, Onboarding Emails, Re-engagement Emails, Revenue Generating Emails, Referral Campaigns] Yet I find that sites like Android Authority are actually very annoying with all that junk mail they're sending. [Acquisition, Activation, Retention, Referral, Profit] kw: sales funnel, drip campaign, abandoned carts, automation, receipts, marketing, sales.
  • Safe Harbor ruling - Is probably just a great win for European cloud service providers like UpCloud.
  • Amazon Web Services (AWS) opens office in Helsinki, Finland. - Amazon Web Services Finland Oy - I just wonder if Amazon Data Center would follow? It would be AWSome.
  • Laughed at the latest EMV crack. Afaik, I think I've heard the story earlier too. The main fail is that the card tells if the entered pin is correct or not, and when you MITM that process, you can always tell that yep, that's the right pin. Sounds like a pretty classic security design fail. - Now someone just used the technique with live production systems.
  • Using the SQLite JSON extension with Python - Charles Leifer posts again awesome Python & SQLite stuff.
  • Now I got a few virtual machines running with latest OpenBazaar development code including client & server. There's still quite many things to be done, before it's done.
  • Used again manufacturers tools as well as badblocks -nsfv to test disks that were assumed to be broken. But let's see what the results are. BadBlocks is nice tool because it can read test and write back the same data. So you can do complete read write test without destroying data on disk. Of course everything should be backed up anyway, but if everything goes well, anything isn't getting destroyed from the disk. Of course testing possibly damaged disk can finalize the destruction of it. But all important data should be in backups anyway, even if disk would die without any warning as many SSD drives do.
  • Studied even more about OpenBazaar Risk Contracts and Future Markets, Insurances aka Speculative Contracts and Dispute Resolution as well as automated network Oracles, Reporters and Escrow Agents. Lending, Bonds, Forward and Futures, Prediction and information markets. - Sorry, no link (yet).
  • Read again everything OpenBazaar project related and wrote a short memo about it. Most important is to have basic knowledge of everything related to contracts, vendors, moderators and reputation management in mind so you don't need to lookup that stuff all the time. It's just like reading for exams or certification, you gotta know it all. And be able to instantly answer how, why, when, in detail. Some parts aren't documented well enough, so I guess I have to read the source code too, I haven't done it yet, I did it with earlier version to find out undocumented stuff I needed. Source Code is excellent and detailed documentation, it just takes a while to read it out. Here's the links to OpenBazaar-Server and OpenBazaar-Client @ GitHub. One of the things they mentioned was "Asynchronous ordering and network message caching", it's just something I would love to take a look and talk a lot. Friends thought that providing fully automated oracles would be a nice service. I've been also talking about different kind of federation models and trust networks like web of trust a lot. More Sybil Attacks & Sockpuppets, security deposits and risk considerations. Reputation Graphs derived from public social network data to improve trustworthiness etc. Also studied the 'A pseudonymous trust system for a decentralized anonymous marketplace' by Dionysis Zindros. - Really great stuff, loved reading it. Yet it takes quite a lot time to think it all through. Line-of-Credit (LoC). External linked identities, etc. Studied JoinMarket and How to sort ratings - using Wilson score and what not to do.
  • Building a Risk Market for the Digital Age Using Bitcoin - Studied article in great detail.
  • I really like the concept of Astroturfing, it's just so great way to manipulate things and making it look like it's not manipulation.

Mobile Payments, HTTP/2, Dark Market, Dark Web, Cyber War & Terrorism, GAE, Done, Information War

posted Oct 17, 2015, 11:55 PM by Sami Lehtinen   [ updated Oct 17, 2015, 11:56 PM ]

  • Worked with one Mobile Payment Application integration project, I'm expecting it to be quite a hit in Finland. - Can't tell any details right now. But well, I guess it'll marketed with high visibility, when it's out. Whatever it is.
  • Studied Apache mod_h2 [HTTP/2, h2, h2c] module documentation.
    I's interesting to follow which sites use HTTPS, which use HTTP/2 (h2) and which got the old SPDY enabled. kw: h2c direct, curl, nghttp.
  • Carefully studied The Hidden Data Economy - The Marketplace for Stolen Digital Information (PDF, 19 pages) - This is where your data ends up, after it has been stolen? Well, it'll be probably sold to someone who can make more money out of it than you could. - Cyber fraud, dark market, internet underground, login credentials, cyber criminals, cyber terrorism, stolen credit cards, stealth bank transfer, identities, financial data, cyber crime as a service.
  • I'm going to watch a four hour long series of lessons about Cyber War and Cyber Terrorism soon. I just got the fresh video files from a friend working in the industry. I guess I'll be blogging a few things about that in future.
  • Also plunged into the deep web (Tor / Dark Web) to see if there's anything especially interesting, yet I didn't find anything worth of looking around. It's usually quite slow to find interesting stuff and I don't have time or resources for that. Yet one of my friends projects will probably use Tor Exit Enclave to provide secure and anonymous access to the site.
  • My comments to the never ending Nginx vs Apache discussion: "Nginx got it own limited set of features. It won't run some stuff internally, instead it works as reverse proxy. Apache is much more versatile with it countless modules. I've been using both, and currently I'm using Apache due exactly this reason. is also a good thing to keeping in mind, if you're looking for fast load balancing proxy. Also you might not need high 'static file serving performance' if you're using caching CDN. You're basically off-loading one layer of your stack to CDN."
  • Efficient use of asynchronous operations in Google App Engine - Nice blog post about how to utilize database transactions, tasklets and deferred tasks. Nothing new, all very generic stuff as means and as a problem. But this is of course very GAE platform specific thing. kw: tasklet, deferred task.
  • Hostile Email Landscape - Email used to be open and free system, but it isn't anymore. Because everyone new trying to enter the circles is being treated with pretty hostile and unwelcoming attitude. If you're email system administrator, or have tried to deliver email to most of the large cloud systems. I'm pretty sure this is no news to you. - I'm self hosting my own email system too, for privacy, as are many of my friends.
  • "Done is better than perfect" - This is the attitude I like. Doing something perfectly, is usually very bad idea. Especially when you don't actually know what the perfect is. It's just some kind of illusion in your head which you got. Did you get enough feedback from customers to make it perfect? Well, of course not, because you haven't been telling them what you're doing, because you'll only release your project when it's perfect.
    Release early, gather feedback, iterate. learn, lean! - That's what I've been doing with all of my projects and recommending to friends too. As well as tight communication with the customer on every step. Instead of postponing it for years, until it's perfect. - Also it's very important to find out whom your customers might be, they can provide a valuable feedback based on business / service / product concept alone, what they would need and expect from it.
    If you do all that stuff in secret, you'll get mentally crushed by customer feedback when they tell it's nothing they want to use / have. Customers also usually like if they get some kind of reasonably costly solution, making perfect will cost 10-100x more and if it isn't even what they need, well, that's not a nice situation to be in.
  • I've been helping a friend with his interesting side project. No more about that, but we've setup a few servers for testing and staging. Production servers haven't been ordered yet, but it's an interesting project. I really wish very much good luck for my friend with this challenge and hope he'll make well with it. It's his first commercial website so there will be challenges to tackle in future too.
  • Enjoyed reading: Internet Troll, Ad hominem, Black Propaganda, Gray Propaganda
  • It's also important to make separation between disinformation and misinformation. Some times carefully crafting very informed disinformation can be just really fun. Providing 'accurate' disinformation can be also very efficient method of counterintelligence and information war. There has been some news in Finland about Russia engaging in active information war, disinformation, propaganda. But it's hard to say if it's state controlled or just bunch of activists having some fun. Also see underground computer groups and cyberterrorism. There are quite many sites providing politically incorrect content and I'm not now referring to the US TV show. I'm just wondering as disinformation and counterintelligence, I wonder if it would be fun to 'leak' highly sensitive documents, which would be of course complete fraud and carefully crafted  by experts to look like real stuff. But the actual target is just to FUD the rest of net users and potentially cause resource consumption and wasted effort kind of attack via making things look like insecure and causing them to waste resources because of fabricated threats. Would they do such things? I guess they would.
  • Reminded my self about Thermobaric aka air fuel bombs / weapons, Russian Heavy Rocket Launcher TOS-1 Buratino.

Smart Contracts, OB, H2, FLIF, Snowball, Decentralized Reputation, Light, IPFS, Loopback/Localhost

posted Oct 10, 2015, 10:22 PM by Sami Lehtinen   [ updated Oct 10, 2015, 11:23 PM ]

  • Reminded my self about smart contracts, because this has talked a lot in some circles. Also see What are Smart Contracts. Also checked out Freicoin. It got bit different design aspects than the Bitcoin.
  • There's some interesting market development going on OpenBazaar and P2P insurances. But can't tell more details about that yet. It's nice to see that project really picking up the pace. Following all the development discussions starts to be hard at times.
  • Studied OpenBazaar insurance contract schema. - As well as reviewed the current JSON RESTful API documentation for the.
  • Google is pushing HTTP/2 forward hard. - Improved cloud service performance is naturally really nice thing to have. Google App Engine also uses HTTP/2 when HTTPS is enabled. I wonder when h2c support is coming?
  • Checked out FLIF - Free Lossless Image Format - Which also provides better compression than existing lossless compression methods. - New still developing lossless image compression standard FLIF aka Free Lossless #mage Format. I like it. I personally wished that JPEG2000 (JP2) would have been more widely used, but nope. It clearly wasn't change big enough.
  • Amazon Snowball - A suitcase storage server for transferring data. I personally think it's nothing new, it's just one adaption of technologies widely used already and for a very long time. "Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway." - Adaption of old technology. Quite nice way to transfer large amount of data. Of course most of us have done this same using fast USB docs and disks, but this provides bit more high tech solution.
  • Studied OpenBazaar Decentralized Reputation in detail and commented it. I'm sorry not sharing the comments publicly. Maybe bit later, before things have been refined.
  • Solar time vs time zone - - I wonder what the meaning of DST (day light saving / summer time is). When you take a look at this map. This shows how 'wrong' times many areas of the world already got. Many places got hour or two wrong clock time. Yet most of countries seem to 'lag behind' the real solar time.
  • Light - Not immediately impressed, but I think they got a nice idea there. Of course it's quite expensive. I really would love to see the production model in action before ordering. Also the software used to 'develop' images is very very important, just like it's with Lytro.
  • I've asked OpenBazaar team a few times, how they're going to implement potential 'extensible contracts'. So far I haven't received any conclusive answer. It's always hard to line if format should be extensible or not. I've written about this so many times. Truth is that many systems using XML don't actually allow extensions without extensive modifications of schema and software, making it pretty rigid and practically non-extensible compared to any other solution.
  • New NameCheap - Advanced DNS allows to set TTL values from 1 minute to 60 minutes or Automatic? What value will the Automatic be? I got no idea. I didn't find any help or documentation about that. It would be just nice to know. I personally hate such weasel words without any additional information. I guess it's something reasonable, but it would be nice to know how long it actually is. - It turned out that making a ticket was worth of it. Even if my ticket was on the very lowest possible priority it got answered pretty quickly. The automatic value is 1799 seconds and it's there just for people who don't have a clue what they should choose and prevent them from contacting support asking stupid questions, like I did. It would be just very nice to mention that somewhere, so people whom do want to know what it means, could. Anyway I posted this data to three other places as well as my blog, so basically you should be now possible to find it using Google.
  • Is IPFS a CDN? - In most of cases I would assume it's performance wouldn't meet CDN levels. There are also solutions like user based CDNs using JavaScript already. Which form site specific swarm of users having that content. In theory it could work well for sites like 4chan images or news sites or like downloading Ubuntu DVD Images. I've blogged about such solutions and I've been asked to join a few teams developing such solutions. I also personally like how Freenet and GNUnet also cache data which isn't requested by user making the network and data replication & distribution much faster. If there's high capacity server sitting on idle. Most solutions wouldn't utilize those. Yet solutions with fully automated caching would also use those to deliver high demand content as well as to store low demand content for extended periods. I've thought A LOT about this stuff. There are good and bad sides on every aspect, as usual. Also it's hard to guarantee any TTL. Availability could be really bad, or data might not be available at all. IPFS is NOT permanent.
  • I did see too many there's no place like images. So I upgraded it to IPv6. Here's the new image.

RDS, EFF, Sea Lion, Hacked, Haunted, Criminal, Safe Harbor, Reptuation & Identity Management, Tieke

posted Oct 10, 2015, 10:13 PM by Sami Lehtinen   [ updated Oct 10, 2015, 10:22 PM ]

  • Once again enjoyed problems with Remote Desktop Service aka Terminal Services aka Remote Desktop Protocol,  it's just so enragingly badly done. Thank you Microsoft for all this suffering.
  • Finished reading several articles about digital assets and insurances, etc. How the money  and trade will be done in future on-line markets. One example from OpenBazaar which has been already published.
  • A post by EFF -  France is going to expand their already extensive Internet monitoring & spying.
  • A post by EFF - TPP is going to be bad, as bad as they feared. These are complex things, it's good that they're paying attention. Thanks to Wikileaks.
  • Saw old book in my bookshelf. "Miksi tietojärjestelmäprojekti epäonnistuu" by CxO Mentor Oy. It's a book with lessons learned why ICT projects fail. We all know the reasons way too well. Lack of communication, unclear goals, generic rush to get something done without knowing what should be done and so on. Individual decisions made by independent groups as part of whole, but won't fit with the complete picture of the project etc. All the classic fail reasons. Stockdale paradox, etc. Rushing into production without proper testing because we're late from the original schedule. This is one of my favorites.
  • Wondered security best practices again. Why some rare service should be opened to whole world, when we know exactly the one IP address the client(s) are using? Well, maybe just because it's so hard to type in the one IP address. Yes, business and security as usual.
  • Expressways to the future - Official information is now out, the Sea Lion (C-Lion by Cinia) fiber optic submarine cable (1,172 kilometers) at bottom of Baltic Sea should bring Helsinki only 19.5 milliseconds from Frankfurt (HEL-FRA-HEL) round trip (RRT). So basically this means cutting about 10 milliseconds away from current latency, depending from operator and routing, which translates to 33% - 50% reductio nin RRT depending from several factors. - My personal question is, when ROTACS will be built, if it will be built. I think it's highly likely that it will be built, because there's a clear demand for it. But when, and what the route will be. 
  • I guess that at least Sonera (Telia, TeliaSonera) is going to use that cable (Sea Lion), it should be pretty clear at this point. I guess that it puts pressure on other large players like TDC and Elisa. Yet Elisa isn't working so much internationally, so they're buying their transit from other operators. I'm also pretty sure that D TAG aka DT, DTE DTEGY or Deutsche Telekom aka German Telecom will be using the new submarine optic fiber cable.
  • This is also one of the reasons why I've been recently locating most of servers near Frankfurt (Germany) instead of the traditional location near Amsterdam (Netherlands). In future it seems that Eastern Europe is also building Internet at high pace, so at least Warsaw (Poland) does look like interesting location. I also assume that places like Bucharest and Istanbul are going to get more Data Centers in Future.
  • Here’s why you might get hacked even if you ”don’t have anything worth taking” - In many cases they're not after data. They're just after servers with high resources and excellent Internet connection. Also it's quite worrying aspect. Because if I would be after someones data, I would make sure to give a false impression that I wasn't after the data and only after the server resources. Benefit? The security breach / system intrusion case would probably avoid proper investigation and is easily dismissed as 'nothing serious happened'. It's just so easy to always conclude - Ok, it was some script bots / kids that took over our server resources and mined Bitcoins for a while, nothing serious worth of through investigation happened. Just change password and remove offending processes, right? Just like cleaning up infected workstations with anti-virus software, ehh.
  • Haunted by data - Excellent presentation! I've been asking the very same questions. And I really loved the presentation. More big data science plz? "Switch from the hoarder's mentality of 'keep everything in case it comes in handy' to a minimalist approach of collecting only what you need. " - I'm already doing exactly that.
  • The Internet of criminal things - Yes, everything will be monitoring and spying on you in the future. That does look almost inevitable, it already is. You're being betrayed by your smart phone at least.
  • Followed a lot of discussion around OpenBazaar contracts, Reputation management, Networking protocols, UI design, lot of deeply Bitcoin related tech stuff like multi signatures and OP_RETURN data content usage and so on.
  • It's great that CJEU decided that US, EU data sharing Safe Harbor should be ended. It was all the time clear that US companies do not provide required privacy for European users. - Yet it could also mean that some US services won't be available to EU businesses. As well as individual EU countries will make their own privacy legalization and there won't be single EU wide privacy and data protection legalization, it might bring lot of management burden and drive great business for lawyers. I wish it would be possible to get EU wide standard data privacy / security regulations and legalization.
  • We're Replacing Comments with Something Better - Interesting views how Internet Discussion Forums should work. It seems that many media sites are now closing down their comment sections due to problems with moderation, low quality comments etc. I guess this might boost some discussion platforms to new records. Especially social media benefits, because discussions can't be held on the news site itself, so users have to find alternative methods to share their thoughts.
  • Discussed with friends about decentralized reputation, on-line and Internet identity & reputation management as well as how Web of Trust works with this setting. Long and deep discussion as well as several view points from all aspects. Strong identity, Pseudonyms, Personal Identification, Technologies, Legalization, etc. How to combine pseudonyms on different systems and create a trust relation and so on. Related: Reputation management, Digital Identity, On-line identity management from this data it's also possible to derive Social map aka Sociogram.
  • OpenBazaar private messages also allow P2P OpenPGP encrypted private communication directly between peers using STUN & TURN, nice!
  • Some times if targets are too easy, it really makes you wonder, if those are actually just honey pots waiting for you.
  • TIEKE - Finland, a cyber threat preparedness forerunner? - I really like these posts. Because these prove that at least someone is awake an thinking about these things in this forsaken country.
  • I've been mapping and asking offers from local Internet fiber service providers. It seems that the price scale is absolutely humongous. For basically same service you can easily pay 10x too much (1000%) if you don't ask offers from multiple service providers and negotiate about the price hard. Unfortunately I can't give more information because the offers are confidential. But don't just order a fiber connection, work a little to make it faster / cheaper for same money! Let's see what option I end up with. Maybe I'll write about that later, maybe not.

Digital Assets in OpenBazaar personal thoughts

posted Oct 7, 2015, 10:20 AM by Sami Lehtinen   [ updated Oct 7, 2015, 10:21 AM ]

Digital Assets in OpenBazaar - Blog post by drwasho
Digital(ized) assets are important part of digitalizing trade. Items are transferred into electronic form using OpenBazaar and can be redeemed at any point. Technically OpenBazaar utilizes Bitcoin blockchain and public key encryption for making the assets transferable and secure.
The certificate type 1. is 'redeemable certificate' quite basic stuff.
But the type 2. is electronic keys, which is pretty interesting. It brings to mind all the James Bond villains with control keys or some CSI Cyber stuff. Lol. But yes, it's important thing.
Type 3. isn't so important afaik. Also the process how discount and gift certificate can be tied together with other purchases. Many git certificates and discounts often contain more or less complex rules for redemption.
There are already solutions providing these services. But OpenBazaar can bring new additions and improvements to the mix. One of most important feature is trust and on-line vendor reputation management.

OpenBazaar can fix many issues with Digital Assets. It works as contracting platform, as well as provides discovery network to find available contracts. Discovery and reputation allows it to work as a complete marketplace. Sellers get proper reputation based on previous deals and OpenBazaar can provide a distributed reputation system which is built into the process by default. As well as money can easily flow around using Bitcoin as payment method, pricing can still be made in Fiat currencies. Not forgetting standardized contracts using Ricardian contracts and JSON.

Understanding digital assets is easy, when you think those as gift certificates or gold certificates. You can trade the certificate freely on-line, and then someone will redeem it. Trading before redemption can be done completely freely on-line using OpenBazaars Securitized Digital Assets feature.

If you have studied history of money, you'll quickly find out that this is the way the notes actually got started. It was a paper being valued at something, like 10 squirrel skins or one ounce of gold. The paper could be traded and transferred around, without the physical assets being moved or handled. Of course the examples above were easy to transfer, but what if the asset on the paper would be twenty barrels of wheat? Or one hundred cows? Also moving around the digital assets makes market much more liquid because the asset can be moved quickly around. Bought or sold in seconds.

Asset holder need to trust the issuer, this will make it unlikely that pseudonymous users could issue digital assets on-line. But as we know, there are plenty of businesses doing this already.

Sorry, really quick notes and draft. Didn't have time to go this through. This is more like a dump of OB related stuff.

Related link: OpenBazaar Blog

Facebook, Attack Map, Qlik, Panorama, Tableau, BuiltWith, P2P Insurance, Tiedustelulaki, Identity Management

posted Oct 2, 2015, 8:43 PM by Sami Lehtinen   [ updated Nov 1, 2015, 5:29 AM ]

  • How Facebook lets people know if you're ok. - I think the post is full of obvious stuff. I personally didn't find anything especially interesting in it. Most of stuff are very basic optimizations that should be done with every project. Yet there's one question. If there's a disaster area, is the primary goal to overload it's networks with non-emergency traffic? Isn't the basic rule that if something happens, you should avoid useless and unnecessary communication and there's probably better uses for the bandwidth? So when I think about it, yes, it's nice if it makes it unnecessary for people do the most undesirable thing aka call the area / persons in the area. Yet flash flooding networks of one country might still be a bad idea and depending from situation could hog quite much bandwidth / overload networks. One thanks for stupid behaviour goes to all those über stupid Hollywood movies. It seems that people do not act in the movies like they're trained in military and by emergency services to do.
    I still remember when SMS was getting very popular and during new years eve the SMS traffic got so high that it totally overwhelmed the networks and delivery systems. Result? The flash flood of SMS messages was still being extracted over two weeks after the new year. Overload also caused situation where ACK packets failed to reach the servers and it made the situation just much worse. Now the same message could get deliverer even tens of times. Similar situation happens with TCP when packet loss goes up packets get redelivered and lost connections are retried. Making the over all situation even worse than it would be without this retry logic.
  • Norse Attack Map - I don't like that map at all, it's way too generic. It's so common people get confused about attacks and all kind of lies being sold by security companies. Yes, there are real attacks, but most of background radiation junk isn't real attacks. As well as real attacks might not get detected as being real attacks. Otherwise it would be way too easy to detect attacks.
  • Is this going to be the future of Internet of Things? I'm really afraid it will. But I hope it won't. A story how horrible security IP webcams can got.
  • Checked out B61-12 nuclear bomb. Interesting and expensive stuff. As well as Ka-52 Alligator. Read more stuff about Yasen Project 885 submarines.
  • Checked out Qlik Sense Desktop and Panorama Necto 15. Both excellent self-service smart data discovery and visualization tools which can be used for Business Intelligence analytics. I've explored Tableau earlier and I really loved it. Qlik Sense Desktop is just as awesome. I didn't go into details or trying doing anything hard. But basic dashboard from data in database was trivial to visualize and creating a dashboard from data was awesome and easy with all three products.
  • Watched a few nice BBC documentaries, Computer Algorithms, Computer technology (early history) and history of Diesel Engines. 
  • Nice document describing the Cinia Group Oy / Sea Lion (C-Lion?) submarine cable system (PDF). - Read it all, but afaik, there wasn't anything new in there. Just generic document about submarine cable laying and design, protocols, processes, equipment required, planning, etc. Including detailed route, depths, and laying technology, environmental impact and so on.
  • StartupDaily / BuiltWith - This would be pretty much my dream. Something quite simple, running in fully automated form and making money. It would be just so wonderful to own such business. Well, I have some plans, but nobody ever knows if those are going to work out or not. Probability for miserable failure is something like 95%. But sometimes you'll just strike gold. Who knows. 
  • Read documentation by Michael Folkson, Building a risk market for the digital Age. - Nice description how Bitcoin blockchain and OpenBazaar style digital assets could be used issuing distributed digital insurances. kw: value exchange, risk exchange, decentralized insurance marketplace, insurance industry, blockchain technology, peer-to-peer insurance.
  • Some thoughts about OpenBazaar and distributed insurance market: About distributed insurances, does it mean that the amount of insured money should be held somewhere in escrow? That basically ruins the whole business if it's like that. I'll be reading further comments, before posting this. But it was my first thought. Like in case of liability insurance, customer might pay 100 units, and the amount that the customer is insured for can be 1000x more. So the 100 unit escrow isn't worth of it, and also if that 1000x is required in escrow, it's ruining the whole business. So yes, there's counter party risk, but it's kind of essential part in making the deal feasible. I'm also very keen to know what kind of insurance deals there will be available and how those are going to be technically arranged. All this slightly reminds me about the X-Trackers 2.0 synthetic ETF counter party risk management. kw: collateral damage, escrow contract, conventional insurance industry, insurance brokers, buyers, sellers, claims, payout. Have to read and think lot more about how this is going to work. Luckily I guess the community got excellent expert contacts with this matter.
  • I was bit worried if Electronic Frontier Finland - Effi ry would completely miss the Finnish 'Tiedustelulaki' issue. But they didn't. Here's their comments about it in Finnish.
  • Handled a lot of deep thoughts about identity management with my friends. Yet there's nothing new. I've said it earlier. Good systems provide possibility for complete anonymousness as well as very strong pseudonymous credentials. If required or wanted, that pseudonym can be linked to real life identity. But it's completely optional. I've done that several times personally buy signing anonymous posts with freshly generated OpenPGP key. So all of my posts got very strong pseudonymous identity. If require, I can sign message with that same private key revealing who I am as well as cross signing (mutually signed) it with my well known personal public key. Just so much talk with my OpSec and InfoSec nerd friends. Is my tinfoi tight enough? No? I think it's leaking some TEMPEST radiation around.

ARIN IPv4, CISA, OVH, Karma Police, TCP Cubic, NetAnalytics, Galaxkey, Status LED

posted Sep 29, 2015, 9:46 AM by Sami Lehtinen   [ updated Oct 2, 2015, 8:31 PM ]

  • ARIN (North America) is now finally and officially out of IPv4 addresses. Now it would be really good time to get your IPv6 stuff together if you haven't yet done it. Also many big players like BT are now really starting to push IPv6 forward.
  • One more reason to avoid US based hosting? CISA - You'll get betrayed by US technology companies.
  • OVH announced building 12 more data centers? - I wonder if OVH couldn't provide customer satisfaction with mega data centers? Is the latency so important for many customers? GRA and  BHS data centers are potentially absolutely huge? But does that make customers unhappy due to potentially high latency to distant mega data center? I guess that's the reason why they're planning to build 12 more (obviously smaller) data centers.
  • Read: Karma Police - Surprised? Nope. It's just as expected. Very good article reminding us how we're all being monitored. Had to read it all even if it's very long. Good stuff.
  • TCP Cubic bug fix by Google. Slow start broken on persistent connections when using Cubic? Ok, I thought slow start would be used if connection has been 'idle' for a certain time. But it seems that wasn't the case in this particular case. 
  • Had some discussion about traceroute and similar traceroutes where the route contains tons of funny names or story or what ever. I would personally prefer faking it using Python script, instead of using two routers as one old example solution did. When I said that, I was asked if I would write such a script. My answer was:"
    I'm busy with other projects, so I won't do it. But that's trivial. It would be a good practical learning opportunity if you're trying to learn about IP protocol and packet handling. Just use raw sockets on Linux, get data, and generate responses from a different IP based.
    Alternatively you could use multiple IP addresses on same host, then you don't need to fake packets and can traditionally listen on ping on every IP. But that takes it to bit higher level and it isn't so fun anymore.
    Or you can set your computer to listen in on routed traffic, if you got router which will route subnet to your 'software' router. There are multiple ways to do it.
    Of course using two hardware routers is also ok, if you want to learn about configuring those. Different goal, different means.
    All of these means still require you to be able to control that subnet and set required reverse DNS information.
    Also the latency between first hop of the story and last hop of the story tells about the system having very limited capacity. In case of the faking Script, delay difference between hops would be 0 ms. Now the numbers directly tell that there's plenty of latency and packet handling is taking a long time. -> Guaranteed to have a poor throughput & load characteristics."
  • Fixed monitoring script, now it's possible per service to select if service will be monitoredusing IPv4 or IPv6 using round-robin, either IPv4 alone, IPv6 alone, or both in parallel. Nice! All information is logged nicely in database and can be analyzed later. I guess I'll be saving some of those logs too, so I can produce nice graphs when C-Lion (Sea Lion?) by Cinia gets connected between Finland and Germany.
  • Galaxkey - More hardware 2FA / Key management solutions. Afaik, nothing new in this case. It's not American, but it's British company. Which means that it can't be trusted anymore than American companies. Also their own secure solution with invites, email, etc. Isn't what I'm looking for. If I want authentication solution I want it to be as independent as possible. If it requires 3rd party trust, it's not secure in a way I'm looking for. Many of these solutions also leave gaping hole for a back door entry. So basically systems are secure if they work as designed, but because many parts of the system are from single vendor, it's trivial for them to break the security whenever they want / need to. I've seen many software pieces to work differently depending what the customer / license holder is. So software is secure, unless user being targeted is using it. Even then the security can be broken in a very subtle way so there's no way for the user to actually know that they've lost security & privacy.
  • OpenBazaar will allow selling of 'electronic goods' - Anything can be sold, purchased and naturally delivered online. Music business has been leading this trend and everything which can be sold will follow that. But there hasn't been great ways to sell electronic items online for individuals. OpenBazaar will allow that to be done easily for anyone and anywhere. As well as using cyber lockers for efficient delivery & pickup without hosting expensive delivery systems and content delivery networks (CDN). But I'll be posting more about that later.
  • I'm just wondering  why phones with AMOLED displays (without back light) would need a status led? Wouldn't it be trivial to just blink very shortly group of LEDs on the screen itself showing symbol or figure? Just enough that it'll get your attention. Tens of milliseconds should be enough so you can recognize that 'something happened'. Power required for that should be absolutely minimal. 20 ms flash every minute or so, lighting up just a group of pixes forming like email symbol or phone symbol on screen or so. Yep, if you got already LED display, what would you need a status led for? I just don't get it why they're not doing that already.
  • I guess you've already noticed that my Blog posts lag behind. I'm not posting daily and even weekly posts could have been stored as drafts for months before getting posted.

Retail fail, Integration, Docs, Testing, Digital Distribution, GAE, ScyllaDB, C-Lion, ESB, PY 3.5

posted Sep 29, 2015, 9:45 AM by Sami Lehtinen   [ updated Oct 2, 2015, 8:31 PM ]

  • Once again sad story how badly customer service can fail, if basic information systems aren't up to date. Friend of mine bought a new sofa, received a notification that it has arrived at the pick-up point. We picked up a rental car to pick it up and when we there it seemed to take quite a long time to get it. After about 45 minutes of waiting guy came out and told that there has been a mistake, yes, our system shows it's here, and we called you to pick it up. But it's not actually here. Just great. How about getting the systems and users to work so people could get reliable information? I know I know, fails like these are business as usual, but shouldn't be. It's really crappy service. They didn't even promise a free delivery due to this fail, even if I would have personally required it.
  • My personal favorite when doing integration project is absolutely amazing amount of conflicting documentation which still lacks the key information. It's just awesome to read 1200 pages of documentation and find out that it didn't contain the information required. All the required information could have been in many cases packed just on a few pages. I just love 'documentation department' which produces large number of extensive documentation which is all just big waste of time.
  • Seriously tuned with a few dev and stating environments to make everything work perfectly. It's really important to refine processes and make sure everything works before deploying into production.
  • Read short article how BBC handles their global data, video & news delivery aka Digital Distribution. - No news there, it's all the basic stuff and business as usual.
  • Some of my old Google App Engine projects got shut down due to Master - Slave Data Store deprecation and shutdown, because I didn't have interest to migrate those to use High Replication Data Store. Also one of the reasons why I don't like App Engine right now, is the lack of Python 3 support.
  • Quickly checked out ScyllaDB (Scylla Database) which is a drop in replacement fro Cassandra. It looks awesome. No I didn't have time to test it. I liked their architecture. - I think Google guys said it a long time ago, when people complained about problems and complexities of multi-threading and manycore software development. What? It's like having multiple single core computers with really great interconnect. What's the problem?
  • More news about C-Lion (Sea Lion?) Cinia's new submarine optic fiber to Central Europe and TeliaSonera's new data center in Pitäjänmäki, Helsinki, Finland, EU. Actually the data center is about 100 meters from where I'm working. I've got a great photo series, because I snap a photo or two daily when passing it.
  •äylän kuvaukset. Finish Service Channel description (in Finnish). -  KW: X-Road, Enterprise Service Bus (ESB), systems integration.
  • Python 3.5.0 release notes in detail including new PEPs. List: zip, **{'unpack':'me'}, %bytes, @ matrix multiplication, os.scandir() I also love os.walk() which is old feature, also math.isclose() is very handy. I've often written horrible kludges to workaround very small differences with float values which aren't same, but basically are same. Also getting rid of pyo files is really nice. But the most awesome feature is support for coroutines (PEP-0492) and await syntax. I could write a whole post about awesomeness. Gotta write some play code to find out how to use this stuff in detail. I've been using managers and thread / process pools in most of projects. And in some cases individual threads / task, but this should be so much better and more efficient. Also see: AsyncIO.

1-10 of 294