My personal blog about stuff I do, like and I'am interested in. If you have any questions, feel free to mail me! My views and opinions are naturally my own and do not represent anyone else or other organizations.

[ Full list of blog posts ]

Facebook, Attack Map, Qlik, Panorama, Tableau, BuiltWith, P2P Insurance, Tiedustelulaki, Identity Management

posted Oct 2, 2015, 8:43 PM by Sami Lehtinen

  • How Facebook lets people know if you're ok. - I think the post is full of obvious stuff. I personally didn't find anything especially interesting in it. Most of stuff are very basic optimizations that should be done with every project. Yet there's one question. If there's a disaster area, is the primary goal to overload it's networks with non-emergency traffic? Isn't the basic rule that if something happens, you should avoid useless and unnecessary communication and there's probably better uses for the bandwidth? So when I think about it, yes, it's nice if it makes it unnecessary for people do the most undesirable thing aka call the area / persons in the area. Yet flash flooding networks of one country might still be a bad idea and depending from situation could hog quite much bandwidth / overload networks. One thanks for stupid behaviour goes to all those über stupid Hollywood movies. It seems that people do not act in the movies like they're trained in military and by emergency services to do.
    I still remember when SMS was getting very popular and during new years eve the SMS traffic got so high that it totally overwhelmed the networks and delivery systems. Result? The flash flood of SMS messages was still being extracted over two weeks after the new year. Overload also caused situation where ACK packets failed to reach the servers and it made the situation just much worse. Now the same message could get deliverer even tens of times. Similar situation happens with TCP when packet loss goes up packets get redelivered and lost connections are retried. Making the over all situation even worse than it would be without this retry logic.
  • Norse Attack Map - I don't like that map at all, it's way too generic. It's so common people get confused about attacks and all kind of lies being sold by security companies. Yes, there are real attacks, but most of background radiation junk isn't real attacks. As well as real attacks might not get detected as being real attacks. Otherwise it would be way too easy to detect attacks.
  • Is this going to be the future of Internet of Things? I'm really afraid it will. But I hope it won't. A story how horrible security IP webcams can got.
  • Checked out B61-12 nuclear bomb. Interesting and expensive stuff. As well as Ka-52 Alligator. Read more stuff about Yasen Project 885 submarines.
  • Checked out Qlik Sense Desktop and Panorama Necto 15. Both excellent self-service smart data discovery and visualization tools which can be used for Business Intelligence analytics. I've explored Tableau earlier and I really loved it. Qlik Sense Desktop is just as awesome. I didn't go into details or trying doing anything hard. But basic dashboard from data in database was trivial to visualize and creating a dashboard from data was awesome and easy with all three products.
  • Watched a few nice BBC documentaries, Computer Algorithms, Computer technology (early history) and history of Diesel Engines. 
  • Nice document describing the Cinia Group Oy / Sea Lion (C-Lion?) submarine cable system (PDF). - Read it all, but afaik, there wasn't anything new in there. Just generic document about submarine cable laying and design, protocols, processes, equipment required, planning, etc. Including detailed route, depths, and laying technology, environmental impact and so on.
  • StartupDaily / BuiltWith - This would be pretty much my dream. Something quite simple, running in fully automated form and making money. It would be just so wonderful to own such business. Well, I have some plans, but nobody ever knows if those are going to work out or not. Probability for miserable failure is something like 95%. But sometimes you'll just strike gold. Who knows. 
  • Read documentation by Michael Folkson, Building a risk market for the digital Age. - Nice description how Bitcoin blockchain and OpenBazaar style digital assets could be used issuing distributed digital insurances. kw: value exchange, risk exchange, decentralized insurance marketplace, insurance industry, blockchain technology, peer-to-peer insurance.
  • Some thoughts about OpenBazaar and distributed insurance market: About distributed insurances, does it mean that the amount of insured money should be held somewhere in escrow? That basically ruins the whole business if it's like that. I'll be reading further comments, before posting this. But it was my first thought. Like in case of liability insurance, customer might pay 100 units, and the amount that the customer is insured for can be 1000x more. So the 100 unit escrow isn't worth of it, and also if that 1000x is required in escrow, it's ruining the whole business. So yes, there's counter party risk, but it's kind of essential part in making the deal feasible. I'm also very keen to know what kind of insurance deals there will be available and how those are going to be technically arranged. All this slightly reminds me about the X-Trackers 2.0 synthetic ETF counter party risk management. kw: collateral damage, escrow contract, conventional insurance industry, insurance brokers, buyers, sellers, claims, payout. Have to read and think lot more about how this is going to work. Luckily I guess the community got excellent expert contacts with this matter.
  • I was bit worried if Electronic frontier Finland - Effi ry would completely miss the Finnish 'Tiedustelulaki' issue. But they didn't. Here's their comments about it in Finnish.
  • Handled a lot of deep thoughts about identity management with my friends. Yet there's nothing new. I've said it earlier. Good systems provide possibility for complete anonymousness as well as very strong pseudonymous credentials. If required or wanted, that pseudonym can be linked to real life identity. But it's completely optional. I've done that several times personally buy signing anonymous posts with freshly generated OpenPGP key. So all of my posts got very strong pseudonymous identity. If require, I can sign message with that same private key revealing who I am as well as cross signing (mutually signed) it with my well known personal public key. Just so much talk with my OpSec and InfoSec nerd friends. Is my tinfoi tight enough? No? I think it's leaking some TEMPEST radiation around.

ARIN IPv4, CISA, OVH, Karma Police, TCP Cubic, NetAnalytics, Galaxkey, Status LED

posted Sep 29, 2015, 9:46 AM by Sami Lehtinen   [ updated Oct 2, 2015, 8:31 PM ]

  • ARIN (North America) is now finally and officially out of IPv4 addresses. Now it would be really good time to get your IPv6 stuff together if you haven't yet done it. Also many big players like BT are now really starting to push IPv6 forward.
  • One more reason to avoid US based hosting? CISA - You'll get betrayed by US technology companies.
  • OVH announced building 12 more data centers? - I wonder if OVH couldn't provide customer satisfaction with mega data centers? Is the latency so important for many customers? GRA and  BHS data centers are potentially absolutely huge? But does that make customers unhappy due to potentially high latency to distant mega data center? I guess that's the reason why they're planning to build 12 more (obviously smaller) data centers.
  • Read: Karma Police - Surprised? Nope. It's just as expected. Very good article reminding us how we're all being monitored. Had to read it all even if it's very long. Good stuff.
  • TCP Cubic bug fix by Google. Slow start broken on persistent connections when using Cubic? Ok, I thought slow start would be used if connection has been 'idle' for a certain time. But it seems that wasn't the case in this particular case. 
  • Had some discussion about traceroute and similar traceroutes where the route contains tons of funny names or story or what ever. I would personally prefer faking it using Python script, instead of using two routers as one old example solution did. When I said that, I was asked if I would write such a script. My answer was:"
    I'm busy with other projects, so I won't do it. But that's trivial. It would be a good practical learning opportunity if you're trying to learn about IP protocol and packet handling. Just use raw sockets on Linux, get data, and generate responses from a different IP based.
    Alternatively you could use multiple IP addresses on same host, then you don't need to fake packets and can traditionally listen on ping on every IP. But that takes it to bit higher level and it isn't so fun anymore.
    Or you can set your computer to listen in on routed traffic, if you got router which will route subnet to your 'software' router. There are multiple ways to do it.
    Of course using two hardware routers is also ok, if you want to learn about configuring those. Different goal, different means.
    All of these means still require you to be able to control that subnet and set required reverse DNS information.
    Also the latency between first hop of the story and last hop of the story tells about the system having very limited capacity. In case of the faking Script, delay difference between hops would be 0 ms. Now the numbers directly tell that there's plenty of latency and packet handling is taking a long time. -> Guaranteed to have a poor throughput & load characteristics."
  • Fixed monitoring script, now it's possible per service to select if service will be monitoredusing IPv4 or IPv6 using round-robin, either IPv4 alone, IPv6 alone, or both in parallel. Nice! All information is logged nicely in database and can be analyzed later. I guess I'll be saving some of those logs too, so I can produce nice graphs when C-Lion (Sea Lion?) by Cinia gets connected between Finland and Germany.
  • Galaxkey - More hardware 2FA / Key management solutions. Afaik, nothing new in this case. It's not American, but it's British company. Which means that it can't be trusted anymore than American companies. Also their own secure solution with invites, email, etc. Isn't what I'm looking for. If I want authentication solution I want it to be as independent as possible. If it requires 3rd party trust, it's not secure in a way I'm looking for. Many of these solutions also leave gaping hole for a back door entry. So basically systems are secure if they work as designed, but because many parts of the system are from single vendor, it's trivial for them to break the security whenever they want / need to. I've seen many software pieces to work differently depending what the customer / license holder is. So software is secure, unless user being targeted is using it. Even then the security can be broken in a very subtle way so there's no way for the user to actually know that they've lost security & privacy.
  • OpenBazaar will allow selling of 'electronic goods' - Anything can be sold, purchased and naturally delivered online. Music business has been leading this trend and everything which can be sold will follow that. But there hasn't been great ways to sell electronic items online for individuals. OpenBazaar will allow that to be done easily for anyone and anywhere. As well as using cyber lockers for efficient delivery & pickup without hosting expensive delivery systems and content delivery networks (CDN). But I'll be posting more about that later.
  • I'm just wondering  why phones with AMOLED displays (without back light) would need a status led? Wouldn't it be trivial to just blink very shortly group of LEDs on the screen itself showing symbol or figure? Just enough that it'll get your attention. Tens of milliseconds should be enough so you can recognize that 'something happened'. Power required for that should be absolutely minimal. 20 ms flash every minute or so, lighting up just a group of pixes forming like email symbol or phone symbol on screen or so. Yep, if you got already LED display, what would you need a status led for? I just don't get it why they're not doing that already.
  • I guess you've already noticed that my Blog posts lag behind. I'm not posting daily and even weekly posts could have been stored as drafts for months before getting posted.

Retail fail, Integration, Docs, Testing, Digital Distribution, GAE, ScyllaDB, C-Lion, ESB, PY 3.5

posted Sep 29, 2015, 9:45 AM by Sami Lehtinen   [ updated Oct 2, 2015, 8:31 PM ]

  • Once again sad story how badly customer service can fail, if basic information systems aren't up to date. Friend of mine bought a new sofa, received a notification that it has arrived at the pick-up point. We picked up a rental car to pick it up and when we there it seemed to take quite a long time to get it. After about 45 minutes of waiting guy came out and told that there has been a mistake, yes, our system shows it's here, and we called you to pick it up. But it's not actually here. Just great. How about getting the systems and users to work so people could get reliable information? I know I know, fails like these are business as usual, but shouldn't be. It's really crappy service. They didn't even promise a free delivery due to this fail, even if I would have personally required it.
  • My personal favorite when doing integration project is absolutely amazing amount of conflicting documentation which still lacks the key information. It's just awesome to read 1200 pages of documentation and find out that it didn't contain the information required. All the required information could have been in many cases packed just on a few pages. I just love 'documentation department' which produces large number of extensive documentation which is all just big waste of time.
  • Seriously tuned with a few dev and stating environments to make everything work perfectly. It's really important to refine processes and make sure everything works before deploying into production.
  • Read short article how BBC handles their global data, video & news delivery aka Digital Distribution. - No news there, it's all the basic stuff and business as usual.
  • Some of my old Google App Engine projects got shut down due to Master - Slave Data Store deprecation and shutdown, because I didn't have interest to migrate those to use High Replication Data Store. Also one of the reasons why I don't like App Engine right now, is the lack of Python 3 support.
  • Quickly checked out ScyllaDB (Scylla Database) which is a drop in replacement fro Cassandra. It looks awesome. No I didn't have time to test it. I liked their architecture. - I think Google guys said it a long time ago, when people complained about problems and complexities of multi-threading and manycore software development. What? It's like having multiple single core computers with really great interconnect. What's the problem?
  • More news about C-Lion (Sea Lion?) Cinia's new submarine optic fiber to Central Europe and TeliaSonera's new data center in Pitäjänmäki, Helsinki, Finland, EU. Actually the data center is about 100 meters from where I'm working. I've got a great photo series, because I snap a photo or two daily when passing it.
  •äylän kuvaukset. Finish Service Channel description (in Finnish). -  KW: X-Road, Enterprise Service Bus (ESB), systems integration.
  • Python 3.5.0 release notes in detail including new PEPs. List: zip, **{'unpack':'me'}, %bytes, @ matrix multiplication, os.scandir() I also love os.walk() which is old feature, also math.isclose() is very handy. I've often written horrible kludges to workaround very small differences with float values which aren't same, but basically are same. Also getting rid of pyo files is really nice. But the most awesome feature is support for coroutines (PEP-0492) and await syntax. I could write a whole post about awesomeness. Gotta write some play code to find out how to use this stuff in detail. I've been using managers and thread / process pools in most of projects. And in some cases individual threads / task, but this should be so much better and more efficient. Also see: AsyncIO.

Palveluväylä (ESB), Statistics, Digital Assets, GNU Taler, Mooltipass, Brotli, B2

posted Sep 29, 2015, 9:00 AM by Sami Lehtinen   [ updated Oct 2, 2015, 8:58 PM ]

  • Read:äylä - Finnish Service Channel (Enterprise Service BUS (ESB) aka X-Road) Development environment - Security Server installation requirements document - I've been following this ESB / X-road project very closely. I might need to work with it in near future. Kw: Ubuntu, central security server, CA service, TSA service, X-road software, PPA, keyserver, DNS, NTP, Information System, Certificate Authority, Time Stamp Authority
  • Really nice Python & Database related post with many links by Charles Leifer.
  • Nothing new but just excellent presentation about Statistics for Hackers.
  • Sometimes launching hobby projects can be really miserable. Here's one sad story: "The toxic side of free. Or: how I lost the love for my side project" - I hope my side / hobby projects won't end up like it. Yet I love his attitude, anonymous services without crapchas and other stuff to hinder users. That's usually what I want to provide too. As simple and sleek service as possible. Get done what you want to do. No extensive sign-up stuff and several pages of bs how great our company and service is without even telling what it's doing. I've seen plenty of those sites, and I simply can't stand such junk. There are several services where it's almost impossible to find out what the real function of the site is, except that they're just so super cool.
  • Studied draft documentation 'Digital Assets in OpenBazaar', which allows anyone to sell 'digital goods' online globally. - I'll be posting some thoughts and notes later.
  • GNU Taler - Electronic payments for a liberal society! Actually this is just like other electronic money systems, the Mint is the key, rest of the system is open source. So yes, why not, this could be the open future for existing currencies. This is not a competitor to Bitcoin.  kw: Taxable, Anonymous, Libre, Electronic, Reserve, RESTful, Free, Efficient, Secure., Convenient, Stable, Fast, Ethical, Security, Transactions, Payments, Pay, Transfer, Money, Currency, Economy, Trade, Taxation, Receipt, Free Software (FOSS), Open Source, Integration, Integrate, Web Payments, Electronic Coin / Money Mint Financial Services and Reserves, GNU, technology. 
  • Stored tons of network metrics data to sites hosted in Germany before C-Lion (Sea Lion?) cable is being used. I'll be making same measurements after the cable get's connected and write a nice post with analysis & comparison about it. How much the C-Lion improved the network connectivity. Three service providers in Germany and three in Finland were used to collect the data.
  • Mooltipass password storage / USB authentication device. - I think all those extra features and customizability actually make it vulnerable. It's too high level cool implementation. Basically security devices should be as simple as possible. Any extra will just make the attack surface a lot larger and device much more expensive.
  • This is a cool toy, and not designed for real security use.
  • Laughed at laughable security once again. Basic things like firewalls seem to be above understanding of most of technical people. It's just so common occurrence that systems are repeatedly configured insecurely. Even after 100 nags, someone will fix it, lazily if they care enough. Then after a while settings are again reset to insecure values and that just goes on and on. All those talks about security, lulz, because truth is that things being secure are just an accident. Insecurity is the default norm for all systems.
  • Brotli compression is again being discussed. I wrote about two years ago last time. Yep, it's always nice to get better compression codecs. Brotli is lossless compression and not lossy like most of video and audio codecs. Variant of the LZ77 so it's not that different from LZMA and others. Here's latest Brotli specification draft. And here's a comparison with other compression algorithms and with different data sets. Of course there's also snappy if you're looking for super fast light compression. It's a good idea not to forget zstd if you're looking for fast compression. You could think there's a single best compressor? That's wrong, check out this site and you'll get more information than you might have wanted to: Squash Benchmark.
  • Checked out Backblaze B2 Cloud Storage - I like it, it's a lot of cheaper than Amazon S3, Google Cloud Storage or Microsoft Azure. Nice cloud data bucket storage as IaaS. Also checked a post about their DC even if it's already old news. I just wish they would provide European Data Center for European clients. It would have been nice if's API would be Amazon S3 compatible. I also studied their RESTful API documentation. Buckets, SHA1, Unicode (UTF-8), Checksums, versions, MIME, Python. Played a little with their Python pusher. Actually I would love to see projects like Duplicati including B2 support. Yet B2 API requires SHA1 of file being uploaded, which with large files means that file has to be read twice from disk adding extra I/O load. It would be nice to be able to avoid that. Because API works already over TLS which does contain checksumming and protects data on transit as well as TCP already got CRC which is pretty much useless if there are high error rates. Anyway double checking data still requires double CPU & I/O. I also got confirmation that they're not planning to enter European market anytime soon. I think it's still ok to use their services, but all data should be separately encrypted.
  • OpenBazaar main site is now redesigned. Nice face lift to the that old placeholder page.

DNS hosts file test project shutdown announcement

posted Sep 29, 2015, 8:03 AM by Sami Lehtinen   [ updated Sep 29, 2015, 8:05 AM ]

Closed down the hosts.txt file service which looked up popular sites IP addresses and wrote standard hosts.txt file from it. List was also automatically updated so that if IP addresses changed, list was brought up to date. It was just a small test project to see how IPv6, Python and uWSGI, Apache 2 worked out with Well, it worked, and worked reliably, but I don't have interest to maintain that test project any further so I closed it down.
Here's the project description page dump for later storage even if the service isn't running anymore.

-- Dump --


Crowdsourced DNS based hosts file

DNS Hosts will be shutdown  now. I haven't received any feedback about this site, and this is quite useless. Yet it was my first uWSGI / Bottle / Python / PostgreSQL and SQLite3 Web project using standalone Linux server. Apache 2 was used as frontend reverse proxy. So I gained experience while creating this test stuff. Service was shutdown 2015.9.31.

What is this all about?

    If you don't know what hosts file is about, check this out first Wikipedia: hosts file
    Sometimes you'll need a custom hosts file, when using DNS isn't an option*
    Pre-compiled IP / DNS mapping list in hosts file format, which you can filter for your own needs
    In some cases DNS usage has been seriously limited, due to censorship or on purpose
    Maintaining these lists by your self manually is usually very annoying
    Crowdsourcing to users greatly simplifies getting the required names listed


    Locally instantly resolve list names
    Circumvent any DNS based censorship 


    Requirement to manually update list, unless some updater software is being used
    DNS round robin doesn't work
    DNS based local routing to nearest data center doesn't work 


If there are users for this service, I'll be happy to add following features.
    Grouping by service and option to get customized lists which include / do not include selected services
    User accounts
    User preference storage
    Private hosts entries, without existing DNS records (the traditional use for hosts file)
    Private group lists, remeber which services you have selected
    Blocking option on user level, set selected services / groups to localhost ( to block access
    Public blocking list for bad sites
    Looking for something else? Free free to contact me by email: dns-hosts (meow)
    Great user interface for managing your private hosts entries


In many cases firewalls do not properly filter DNS queries, practically rendering the whole firewall meaningless. See Iodine IP over DNS. If you're interested, you'll find a lot more information about this topic easily.
Another reason is that in some cases, it's just easiest to block DNS completely on firewall level. And then distribute hosts files to computers, which allow access to listed sites. This is where the customized lists come into play. You can either use those to allow access to listed sites, and block DNS completely. Or as reverse, use DNS as usual and use lists as blacklist to block / ban access to selected sites.
(C) Sami Lehtinen 2014
Disclaimer: List is provided as it is. List is updated using public DNS records and therefore I can't be held liable in case of invalid or malicious data being in the list, potentially allowing phishing or MITM attacks.
dns host file hosts whitelist blacklist blocking groups services internet censorship circumvention manager managed compiled lookup lookups entry editor domain name system popular common regularly used domains listed listing list local quick access super fast address addresses ipv4 ipv6 email ip server group groups grouping service services generated generator private personal personized organization organizational crowdsourcing crowdsourced whitelisting record twitter facebook google youtube vimeo cnn bbc yahoo baidu wikipedia qq linkedin live taobao amazon sina blogspot weibo wordpress yandex vk ebay bing hostfile hostsfile hosts.txt 

CloudFlare China, Online Web Reputation, PyNaCl, Hashmal, Unicode, IPFS, NSA Post-Quantum, AWS

posted Sep 18, 2015, 11:37 PM by Sami Lehtinen   [ updated Sep 18, 2015, 11:37 PM ]

  • CloudFlare launches China CDN - Nice! That was one of the gaping holes on the map. There's still India and Russia left to conquer. I mentioned earlier Lagos, Mumbai, Chennai, Moscow. Mexico City is also pretty user spot alone. Yet using China Network requires ICP license from Chinese government. There's also service called Baidu Yunjiasu which is targeted for Chinese businesses and users and provides same familiar CloudFlare service set. CDN, DNS, DDoS, WAF. Here's extensive blog post about the Mainland China extension.
  • Checked out tons of discussion how to handle reputation reliably on distributed network so it can't be forged. What if someone tries to hide evidence? What if ratings are deleted by the Vendor, should Moderator be responsible for holding reviews rejected by the Vendor, etc. There are just so many things to consider. Does verifying this data require full Bitcoin blockchain as well as OpenBazaar trade history or not? And how to achieve that with reasonable resource consumption, assuming that the service could become popular. Tasks which require lot of resources or are computationally intensive should be naturally avoided. Should there be individual 'reputation' services? What if there are several reputation services and values from those won't match? What's the ultimate truth? Embedding data in Bitcoin blockchain. Usage of 2 of 3 P2SH Escrows, UTXO, gaming the reputation and identity systems and so on. Also found out about some pretty neat hacks, but well, those are being kept under wraps so far. Cases where vendor, moderator and buyer aren't on-line at the same time and system needs to work fully asynchronously storing state somewhere and so on. Proofs and digital signatures oh joy, so much tech stuff.
  • Enjoyed even more PyNaCl and libsodium stuff, but got it finally working. The key? Reboot. It was horrible. I got even obelisk installed successfully. Now my OpenBazaar-Server is fully working with the test network.
  • Really quickly studied Hashmal. It's an interesting tool. Yet I think normal end-users shouldn't need to dive so deep in tech stuff.
  • Daily character encoding joy. There are still systems which absolutely blow up when encountering something exotic like €. Smile. Yep, took me about 15 minutes to figure that out and fix it. Uh. Did I say Unicode would fix the issues? Read this post Dark Corners of Unicode. Wonderful, aww.
  • Neocities is pushing IPFS yet I think the whole project is based on bogus claims: Permanent web, that's a lie. It isn't. Yes there other potential benefits, which are very similar to GNUnet and Freenet, but as being said if the project title and marketing is based on a blatant untruth, that's not a good way to start a project. I personally don't like such approach at all.
  • Got one mind blowing integration project, it mixes several different technologies like no other so far. Yeah, it's doable, it's not impossible. But I'm pretty sure there will be some issues before everything is working perfectly. I've written several times that I really like clear, simple and robust solutions. This is not going to be one of those.
  • Read article - Web Reputation Systems and the Real World and presentation 5 Reputation Missteps. It's not news that reputation systems can be gamed, also no existing reputation system can prevent long cons. KW: People Reputation Karma Trust Reference Knowledge Context Quality Webutation
  • Read: "NSA Plans for a Post-Quantum World"
  • Amazon lowers storage prices: Adding a 'infrequent access storage'.

InfoSec, OPSEC, Google, Cloudflare, Microservices, LTE, Data, Liability, OpenBazaar, WiFi

posted Sep 13, 2015, 1:04 AM by Sami Lehtinen   [ updated Sep 13, 2015, 1:05 AM ]

Items are totally unordered, more like shuffled.

  • Reminded my self about the difference between git gc --aggressive vs git repack -Ad and git purne.
  • Had once again extensive discussion with friends and colleagues about Information Security (InfoSec) and Operations Security (OPSEC). It's just so easy to forget it. "Silence means security / Loose lips might sink ships"
  • Also configuring ICT systems securely and using secure operational procedures is very important. It's just so easy to make one little mistake and completely debunk security. Yet of course this requires that the attacker is there to exploit it. But some of the flaws are so serious that the hole will be left open and can be exploited later.
  • Dolphin Browser is probably one of crappiest mobile browsers available. Currently it seems that even clear history functions are broken. It confirms to user that history & cache have been erased, yet nothing gets actually deleted. I think it's a perfect reason for everyone to boycott such malware. Among countless other serious serious usability and security issues with the browser. Like preferring RC4, being vulnerable to many SSL/TLS attacks and the list goes on.
  • Google is expanding data center in Hamina. According latest permit documents, it would reach about 900 000 m^2 (square meters), which translates to almost 10 million square feet. That's huge!
  • Once again advanced remote video surveillance turned out to be beneficial. It's always good to be trained and prepared on both physical and on cyber security. These solutions can help you to maintain privacy and security of premises and also to give an advance warning if something is happening / going to happen. Yeah, I hate 'cyber' word, but that's what media seems to prefer.
  • Finland tries to get more exports. But exports are mainly focused on digital services like games or electronic ERP & business platforms. Also system integration is trending and expertise is being sold to foreign countries boosting exports. BTW. This is good news for me. I'm expert in exactly this field. Business system integration, ETL, data processing, reporting, refining, etc.
  • I'm trying hard to catch up on lastest OpenBazaar developemnt. I've been busy with a few other things lately. But during fall when weather starts to suck, I hope I'm going to make it. Long dark cold weekends, all you can do is study & code.
  • Quote from Tivi magazine: ' IT-osaaja on jatkossa yhä enemmän moniosaaja, sekä yksityisellä että julkisella sektorilla. Hyvän ja syvän asiantuntijuuden lisäksi tarvitaan bisnesälyä, toimintaympäristön ymmärrystä ja kykyä kehittää uutta”, VR:n Jukka-Pekka Suonikko sanoo." ' - Yep. It's not enough to understand one small thing about ICT. It's required to understand the whole and also have some understanding of business logic and business environment as well as being able to see how these things can be further developed and enhanced.
  • Further improved some monitoring systems due to public request. Added some really neat features, like response time sparklines for showing lately developing trends.
  • Very long discussions should systems be built with microservices or not. There are so many things which affect it. Microservices can be a great or totally horrible thing, depending on so many other factors how the system architecture is being built. A great blog post about microservices. I've also got friends who've built (actually) critical production systems using microservices architecture including great realtime monitoring and management systems. Without those systems, microservices can end up as being unmanageable mess. Of coure I can't tell you any details of those systems. But let's say that the control panel they used was very near to Apache NiFi (control screenshot) - Where you just link microservices together and see the data flowing. You can also modify module settings reconfigure system, and and remove modules (microservices) or add modules in realtime. Data splitters, duplicators, filters, logging, etc. Without this visibility, microservices could be just a black box with random performance issues which could be really hard to debug, without right tools. - Link to full Apache NiFi site. - Something new in this screen layout? Nope, I just remindes me from good old DOS CA - Super Project. Yep, I've used it already back then.
  • I also loved the previous article, because I've been involved with such job now for a few years, discussing these very specific topics. Processes, technology, marketing, etc. Everything related to launching a new product and supporting it.
  • Also spent a day studying Apache ServiceMix. Which is quite direct competitor to Microsoft BizTalk Server.
  • Nokia TDD and FDD co-existence in LTE networks. - An excellent article about pros & cons of different network duplexing solutions. (TD-LTE, FDD-LTE, RAN, 3GPP, multi-cell optimization, eICIC, LTE, DL/UL CoMP).
  • Data is a liability? - I agree with this article very much, it's excellent! I prefer to delete all data, which I can name a reasonable reason to maintain. Yet as I've written earlier, many CEO and CTO guys seem to prefer never delete anything attitude, which leads to exactly the problem of data being a liability. There can be a really lot of data, which is being stored, without customers / users consent for extended periods (basically forever). I've also noticed that many people got some kind of totally delusional attitude about 'deleting' something. When you know how systems work, it's easy to understand that delete almost never means delete. It means that 'this space could be freed or reused later'. But nobody knows when that later comes. it can come quickly, or never. So users should really realize that there's no such thing as "deleting something". If you released that content once, or uploaded it to somewhere. There is NO WAY WHATSOEVER to make sure it's deleted. You can't simply do it. Don't say anything now. Because you're probably trying to say but I can delete it... Yep, but that's just the silly illusion or delusion you've got. Even if their ToS says whatever BS. You don't know if some developer had debug mode enabled and copied your data to never lasting secondary storage, where it doesn't get deleted and in some cases it can be also outside all the circle of protection which is being applied to production systems. It's petty much guaranteed that over 10 years old data which hasn't been useful so far would be actually useful in future. But if it leaks out it still could be harmful. As example, you have no way knowing, if Facebook, Google, Gmail, Amazon, AWS, S3 or Dropbox still might got everything, absolutely everything, you've ever uploaded or communicated via it. Same applies to VPN service. You don't know, if they got 100% packet captures of everything you've ever passed through their service. Well, they might not have it, but they also could have it as well. What about the online backup services or outsourced business solutions? If you're using Office 365 for business or Skype for Business. Who knows, maybe and probably all that data is also held forever. Even if you end your subscription, nothing forces them to get rid of the data. Or the Cortana and Windows 10. But there are corporate rules, ToS. Laugh! Yeah, it's enough that there's one high level guy who got special interest in you based on whatever profiling or reason. Finnish people are even usually following rules, most of other nationalities don't give a s*t about rules. It's forbidden or illegal? So what. I don't care. I just yearly do a 'debug run' where I collect all your data, encrypt it and store on my personal external hard drive and take it out. And you said clicking delete on the data in the 'cloud' would help? Good luck! Don't forget all the 'private' IM platforms. Those could be also retain your data, images, documents shared over it forever. That's real hazard people are taking now. Someone buys old drive from ebay, get's 10 years old snapchat and decides to publish it as Torrent for lulz. That would be kind of funny. Wasn't it all private? How's this possible? Scavenging data from disposed drives would be fun hobby, if I would have time for it. Figuring out what fun we could do with all this data. Fun just in case you can't monetize it. - But why we should care of worry about this? All is well, just keep doing whatever you're doing. Or when you send your PC to repair. They copy everything from it, and never delete the data from their systems and for easy access, there could be large number of people or even third part companies being able to access all that data. At some point in time there's a configuration error on the 'temporary (permanent) data storage' and all that content copied from hundreds of laptops / work sations becomes searchable via Google. Well, it happens, and you asked for it. What's the problem? Didn't you realize that (whatever content you have) on you computer, is public. Even if it was serviced 8 years ago, yep. You've since deleted 'that', but nope, now it's visible for everyone via a proxy. Enjoy! In hacker news discussion they said data is an asset. Sure that kind of data cache could be a great asset for someone wanting to blackmail those people. But monetizing it legally could be hard.
  • A really nice performance optimization post by Julia Evans. - Yep, that's very classic and perfect example, how small changes can make very drastic and actually really meaningful performance change. Quite a classic.
  • Checked out yet another combined encryption & key device called Nitrokey. It promises to secure your digital life and it's made in Germany. One of most important parts is that it's software is OpenSource.
  • There are discussions around the net that OpenOffice shouldn't be used anymore. So if you're using OpenOffice still, it's a good time to boot it and get a great replacement called LibreOffice.
  • PEP 0498 approved - That's very nice. I'm definitely going to use that structure as soon as my apps are using Python 3.6. Which won't be too long since it's released and tools like cxFreeze and PyODBC (x64) are going to support it.
  • Interesting FAT32 fragmenter. I've written on purpose fragmenter too, but I've used bit different and simpler & higher level construction of small filed deletion and growing one large file. The way I do it is in a way better, because it works on every file system.
  • That TSA key leak was just funny. Anyway, if there are widely used and known backdoor already you could consider it completely insecure. Even if the key isn't known by the public. Everyone who's really needs a access to those keys, will find a way to get it. It's just stupid like using default credentials, which is constant problem in ICT. Managing credentials sucks and nobody want's to do it. It's just easier to use same credentials all the time and everywhere, which is ... Yeah, it is. Well ... That's all folks.
  • Oh, let's add just one more quote. One client said about credentials, it's just so 'impractical'. It's better if there's no security or the widely shared credentials are used everywhere. Business as usual. Making things secure costs time and money, so it's better not to make systems secure.
  • And more work with business model canvas and process flow charts. Figuring out how to provide value proposition, deliver it and monetize it.
  • Windows 10 on Lenovo Miix 2 8" tablet doesn't recognize WLAN (WiFi) networks on channel 13 in Europe even if every setting I found is set correctly. So enraging, because that's the only channel providing good throughput in the business area where there are tens of WiFi networks on every other channel.
  • Had long discussion about system security with a team: How would I attack my own systems from outside with all the insider knowledge I have? Would I do anything differently than when attacking systems without insider knowledge? What about exploiting social hacking vectors instead of technical entry?
  • Get a dog, it's a prefect cover for frequent dead drop visits.
  • Austin Williams notes about OpenBazaar Censorship-Resistant Storage of Ratings in OpenBazaar's DHT - Really nice post and clearly shows how much consideration there has to be made to find the good solutions. Only one major fail can make the whole system totally useless.
  • University in Finland is researching a new kind of network which would workaround service providers. But as I've written several times, mesh networks are neat idea but also got serious drawbacks. I've written about those aspects several times, not going to repeat myself. (Firechat, Distributed Newtorking, Mobile Clients, etc.)
  • Un-Google, is it futile? - This is a very good question? Is it futile? I think it's not. I've personally moved all of key systems I use for private communication to my own server. I don't use Google, Facebook, Twitter or any of those service for thing requiring privacy. As well as if things are considered to be 'secrets' then I'm opting for OpenPGP or S/MIME as everyone else should too. So I've personally went through that process long before Snowden revelations.
  • Internet of too many things? - You're being watched all the time everywhere, and data bout it is being stored for indefinite periods.
  • A technical comparison between SPDY, HTTP/2 and QUIC protocols. - Liked it.
  • CloudFlare says IPv6, HTTP/2, SHA-2 . I've personally been there done that years ago. Nothing new there. Are you responsible for running legacy systems still?
  • CloudFlare's Data Center / POP map starts to be crowded. But there is still free space for at least Laos, Mumbai and Moscow.
  • Checked global Economy & Investing opportunities as well as reminded my self about details of Baltic Dry Index.

Highlights & Quotes: Zero to One (Peter Thiel)

posted Sep 7, 2015, 7:43 PM by Sami Lehtinen   [ updated Sep 7, 2015, 7:44 PM ]

eSome highlights which I made reading the book. It's recommended to buy the book, because many of the quotes are out of context.
Zero to One (Peter Thiel):
Startups operate on the principle that you need to work with other people to get stuff done, but you also need to stay small enough so that you actually can.
Because that is what a startup has to do: question received ideas and rethink business from scratch.
The internet had yet to take off, partly because its commercial use was restricted until late 1992 and partly due to the lack of user-friendly web browsers.
“irrational exuberance”
At least PayPal had a suitably grand mission—the kind that post-bubble skeptics would later describe as grandiose: we wanted to create a new internet currency to replace the U.S. dollar.
1. Make incremental advances
2. Stay lean and flexible
3. Improve on the competition
4. Focus on product, not sales
1. It is better to risk boldness than triviality. 2. A bad plan is better than no plan. 3. Competitive markets destroy profits. 4. Sales matters just as much as product.
It’s possible to question whether anyone should really be awarded a legally enforceable monopoly simply for having been the first to think of something like a mobile software design.
All failed companies are the same: they failed to escape competition.
Winning is better than losing, but everybody loses when the war isn’t one worth fighting.
If you can’t beat a rival, it may be better to merge.
business is defined by its ability to generate cash flows in the future.
Most of a tech company’s value will come at least 10 to 15 years in the future.
you should be asking: will this business still be around a decade from now?
Proprietary technology is the most substantive advantage a company can have because it makes your product difficult or impossible to replicate.
BUILDING A MONOPOLY Brand, scale, network effects, and technology in some combination define a monopoly; but to get them to work, you need to choose your market carefully and expand deliberately.
The perfect target market for a startup is a small group of particular people concentrated together and served by few or no competitors.
don’t disrupt: avoid competition as much as possible.
“ ‘Success is never accidental,’
the myth of the self-made businessman,
What do they do with the money? In a financialized world, it unfolds like this: • The founders don’t know what to do with it, so they give it to a large bank. • The bankers don’t know what to do with it, so they diversify by spreading it across a portfolio of institutional investors. • Institutional investors don’t know what to do with their managed capital, so they diversify by amassing a portfolio of stocks. • Companies try to increase their share price by generating free cash flows. If they do, they issue dividends or buy back shares and the cycle repeats. At no point does anyone in the chain know what to do with money in the real economy.
Eroom’s law—that’s
Moore’s law
that the number of new drugs approved per billion dollars spent on R&D has halved every nine years since 1950.
Indefinite pessimism works because it’s self-fulfilling: if you’re a slacker with low expectations, they’ll probably be
“lean startup”
“minimum viable product,”
intelligent design works best.
You are not a lottery ticket.
You should focus relentlessly on something you’re good at doing, but before that you must think hard about whether it will be valuable in the future.
what valuable company is nobody building?
A company does better the less it pays the CEO—that’s one of the single clearest patterns I’ve noticed from investing in hundreds of startups.
Recruiting is a core competency for any company. It should never be outsourced.
1. The Engineering Question
2. The Timing Question
3. The Monopoly Question
4. The People Question
5. The Distribution Question
6. The Durability Question
7. The Secret Question
10x, improvements.
what will the world look like 10 and 20 years from now, and how will my business fit in?

Cyber crime, RSACRT, C-Lion, Security, Death to BS, ChinaCacheCDN, CloudFlare, Internet Map

posted Sep 7, 2015, 7:55 AM by Sami Lehtinen   [ updated Oct 2, 2015, 8:32 PM ]

  • Finland enhances cyber crime legalization and punishments. Now it's even easier to get convicted from cyber crimes in Finland. Including identity theft, causing danger to cyber systems, damaging cyber systems, destroying / corrupting data, cyber privacy violations, disturbing ict systems and data theft / hacking (cracking). Now it's possible to get five year convictions from these crimes. Botnets are also mentioned separately or if key infrastructure is being attacked.
  • RSA CRT leaks - Well well. Nothing new. It's so normal that different (vital) steps are skipped in processes. Very common and usual vector in software. Essential XKCD. Smile. Yet it's nice to notice that GnuPG and OpenSSL are doing the verification step
  • C-Lion (Sea Lion?) fiber optic submarine cable between Finland & Germany has been accepted by Finnish Government. I wonder if Russian Optical Trans-Arctic Cable System (ROTACS) will be built by PolarNet at some point and if it will go via Finland to Germany or will it be connected to UK directly.
  • I often wonder what's the percentage of securely configured systems. Even if there are very basic guidelines how to configure systems securely, it seems that people responsible for security mis-configure the systems most of time, even if there's constant external monitoring and nagging about the thing. So unless there's external monitoring, I would assume that at least 90% of systems are absolutely insecurely configured. This doesn't count the systems, where password is NOT default, but it's still something extremely stupid and guessable.
  • I personally think that the information security stuff is funny field. On the other hand there's all that tinfoil stuff, in theory they could do that. Worries about ciphers and hidden zero day bugs. Then there are all those talks by security gurus telling about how to make ultra secure systems. Then there's the somewhat relaxed basic instructions which would reduce attack surface a lot. But nobody even gives a s*t about those. Then there's the reality where everything is more or less insecure and mis-configured, not following even the relaxed basic rules. Allowing very simple automated botnets to brute force administration accounts / passwords of the systems quite easily. And the only reason why there isn't major security disaster is that nobody's really trying. It's just like in the article about electronic voting systems. Basically anyone could hack it, if they just would want to. Any news? Nope? I guess not. I'm just today once again baffled about the reality of ICT security. Truth is anyway, that making things secure requires extra work and causes costs, and nobody really wants to have seucre systems because it costs something. If totally insecure works as well, it's just stupid to waste money on system security. And we've all seen where this leads to in news.
  • Death to bullshit. A very nice post and valid points. I've done that 'cut down' several times. Just checking which things are such that those only consume mental energy and time and strictly cut those out. No more this and that, I'm done with it, and so on. Relax, enjoy and select high quality but low volume sources. I've also learned to click email delete button very quickly.
  • Xinhua News - Seems to be using China Cache CDN network now. - Yet China Cache's web page talk about PoPs they're launching in 2013. That's lame, really outdated information. Makes whole company look really stagnant.
  • Does CloudFlare use different 'user tiers'? I guess they do, CacheFly seems to be doing same. Smaller (Free / Promo) sites using the CDN network won't get same number of PoPs to use than larger (or paying) sites. This doesn't mean that performance would be bad. But it still makes big difference if site is being served from every PoP or just a few major ones around Europe and US where bandwidth is cheapest. Not surprising at all, I would probably do the same. You'll get what you pay for. As well as smaller sites might get so few hits that using all PoPs could at least in theory mean worse performance because it would mean almost always a cache miss.
  • Internet Map - By as2914 (NTT Communications). As you can see, there are only a few major stars on Internet, which will connect you well around the globe.

Network, Android, Security, urandom, PGStorm, OB, Daala, AI, RC4, TCP, Scaleway, Tutanota, Lavaboom

posted Sep 5, 2015, 10:05 PM by Sami Lehtinen   [ updated Sep 5, 2015, 10:06 PM ]

  • Spent some time troubleshooting international networking issues. It's always really not so fun trying to find who's responsible for what and what's really causing the problem.
  • Google is now showing Tweets in search results. That's good development, especially if you're looking for up to second information about something happening or so.
  • Tested out Android x86 4.4 with PC. I think that Android could well replace Windows for most of users even on desktop. It's simplified enough when Windows (and linux in general) remain really horrible complex mess for normal users. Often so complex mess that even professionals have hard time dealing with those.
  • Linux workstation security checklist - Yep, just checklist your workstation(s).
  • Read: Peter Thiel's Zero to One book. Notes (Quotes & Highlights) will follow later.
  • Myths about urandom - Yep. There are lot of myths about many ICT topics.
  • PGStorm - Utilize GPU to handle tough SQL queries with thousands of parallel cores.
  • Following OpenBazaar Blog - This is interesting, it's really nice to get weekly project updates & news.
  • Checked out eTasku - They provide electronic receipt archival and a mobile communication channel directly to bookkeepers for handling traveling expenses in fully electronic way. Receipts are photographed and archived and securely stored and easily accessible to bookkeepers.
  • Checked out Daala Video Codec - It's excellent if there's a proper HEVC / H.265 - competitor, like VP10. Patents and licenses with video codecs are a huge annoying problem for open source.
  • Using SPDY and HTTP/2 to batch HTTPS/REST requests for significantly better performance.
  • How closely everyone is being watched nowadays. Yes, we know where you are and when, which also helps to predict the future. Metadata articles: How you're being tracked all the time, What metadata reveals about your life.
  • More AI & Robotics articles 1) AI Evolution, 2) Cambrian Explosion of Robotics.
  • Browsers finally dropping RC4 cipher support. - It's about a time! Yet it seems that some browsers like the Dolphin Browser are still using RC4 as primary preferred cipher.
  • Excellent post about TCP optimization in mobile networks - I really liked it. Bump in a cable performance optimizations. Latency splitting, Retransmit, Buffer bloat, queuing vs dropping packets, RTT packet loss, unit testing, MTU clamping, data plane.
  • Scaleway - European dedicated baremetal ARMv7 cloud servers. These could be really great for some workloads. I guess I've gotta get one for my own stuff. Email server and hosting some random projects etc. I can use docker to furhter split it down to smaller secure units.
  • Tutanota - Free European Secure Email. I think it's great, nice to use fast, good, and hosted in Germany.
  • Lavaboom: I think that the Lavaboom was just a VC rip-off. I've seen people running similar projects and the actually running costs are really low, unless you bloat those on purpose to burn money. It would be interesting to hear how 'expensive' running social media sites like LoadAverage is. I guess it's quite reasonable amount of money / month. And I'm now talking less than 100 USD / mo.

1-10 of 287