Blog‎ > ‎

Email delivery, mobile payments, TCP, UDP, BitMessage, OpenBazaar, CyberWar, Let's Encrypt and more

posted Oct 24, 2015, 9:21 AM by Sami Lehtinen   [ updated Oct 24, 2015, 9:22 AM ]
Wow, what a wall of text. But I've been busy during the last week evening and weekends.
  • Investigated a few email delivery platforms and also tested those with my own code as well as existing Python libraries. Services tested were MailGun and SendGrid, I liked both. Yet MailGun was faster to setup, SendGrid required additional message to their support before account activation. Actually they haven't returned since. That's sad, because I would have preferred SendGrid over MailGun because they've got European servers and due to that fact latency is 20x less to their API than to MailGun's but no can do, if they won't let me to use their service.
    Both services are also American, I would prefer fully European alternative. I could naturally run my own SMTP outbound service aka postfix. Actually I'm already doing so, cloning and modifying a few parameters in configuration would be pretty trivial. I just wanted to see what these services provide as extra value. The extra value comes mostly from webhooks and handling incoming email, sending email is just so easy. Another question is of course the mail deliverability aspect. My own mail server could send walls of mail directly to spam folder, even if the users have to a) subscribe for those mails and b) confirm their email address before any content is actually getting delivered. I studied MailGun API in detail, and I'm currently testing my own code against it which took a bit more time than configuring postfix and making a script to handle bounced mails, so I don't think it's a big win if you're already experienced email system operator.
  • Worked also with yet another mobile payment integration. This is different case than the one mentioned in last post. More fun, more integrations, business as usual. We'll get it done. It's interesting how different the process charts can be for these two separate systems. Another got multiple steps and the other, is very simple and clean API.
  • I just mentioned earlier there's that one integration case which will be interesting or desperate. It's turning out to be just fine. Technically the case has been just the usual kind of case. All the typical 'project issues' there. Communication, access, clarity of goals, how things should be done and so on. Nothing new, business as usual. We'll get it done too, but it'll just takes time when you don't have full access to all the systems which need to be configured or dealt with.
  • Participated in one of the endless TCP vs UDP discussion - UDP is better than TCP, if done "well" but that "well" is quite challenging. Check out QUIC it's HTTPS implementation over UDP, because it's faster. Yet it's very complicated. This discussion UDP vs TCP is never ending, because there are just so many details that can be tuned. Bad UDP implementation is bad, state of art UDP implementation is probably better than TCP.
    It's bit like that my custom database is faster and better than any existing database technology, in one very specific case which we have been tuning it with large team for several years. But for some strange reason many people still opt to use standard NoSL / SQL databases for many purposes.
  • Flood casting networks won't scale and that's not news. Ethernet broadcast storms and good old Gnutella. I started to study P2P applications immediately when Gnutella was out. Napster wasn't real P2P application because it used centralized coordination server. Gnutella used flood casting and it was immediately a problem when more nodes showed up than the network could handle. And that wasn't much.
    BitMessage works similarly, instead it uses TTL time instead of TTL hops compared to Gnutella. I was quite annoyed when BitTorrent told that DHT would be something new, trackerless. Blah blah, when there were stuff like ED2K and other apps which had used DHT for ~10 years at that point.
  • Helped a friend with multi-tenancy system configuration. I've seen so many systems which lack efficient multi-tenant operation mode. Running parallel instances of same application, especially if those use DHT to partially redundantly publish same data is huge waste of resources. Also the constant coordination, republishing etc DHT traffic wastes even more resources. It's better to have proper multi-tenancy mode which allows efficient handling of multiple clients, instead of running individual instances of application and even the operating system (when using full VM, and not using docker or similar light isolation) for multiple users.
  • Decentralized Reputation in OpenBazaar part 2 - There are just so many things to be considered in P2P on-line trading automation process. - I've been reading some details for hours. It's easy to forget that distributed processing is very complex thing, when you assume the situation where you can't trust others or the network and have to think about all potential attack vectors. What if the parties whom signed the contract modify it later, you'll need time stamps and repeated nested signatures etc. Making thing more like a blockchain internally.
  • The CyberWar lession series didn't contain actually any information that I wouldn't have known earlier, all the usual basic stuff was yet explained in detail. So it's more like a good tutorial for n00bs. Cyber Terrorism, Covert Sabotage, Cyber Threats, excellent way of attacking key infrastructure. Because computers do control things in the real world. It's truly IoT, Internet of Targets for offensive cyber weapons. Malware, RAT, 0 day, Cyber Attacks, PLC, Power Grid, Factories, Power plants, Chemical plants, Critical Infrastructure. Destroying electric generators, transformers and all kind of key infrastructure remotely and covertly. I've so often hearing people to ask if it's connected to Internet, but they forget that their operations can be bought to halt also by disabling electricity or water systems. Of course the dependency of Internet services has been going up and up, and will be doing that for foreseeable future. They also mentioned stealing cookies,that just sounds always so much fun! Can you reach the cookie jar? Nowadays most of payment systems also work over public Internet so if the network is brought to halt, the society will grind to halt too.
  • This Cybersecurity is once again a topic like the 'underground Internet markets' which is extremely deep. Anyone can lightly cover it in a hour, but going into details, will take years and years of actual daily operative experience and that's not all, it's even really recommended to also send your free time ti keep updated. Being expert isn't being only being expert at work.
  • How NSA is breaking so much encrypted traffic? - Nice post. So they've have precomputed some large primes and many programs only generate one of large prices used in DH equation leading to weakening of security. But it's also great performance optimization, with cost in security. - NSA Diffie-Hellman (DH) prime weakness used to breaking DH based cryptography. When standard DH parameters are being used. Once again performance optimization has fired back, because using a few primes as one pair of large primes improves performance, yet makes it of course less secure when one part of equation is already pre-known. That's the price to pay when using 'fast' ephemeral DH key generation. There are reasons why some programs generate DH keys a lot faster than others. I've been also using 4096 bit DH keys for a long time. Yet I would prefer 521 bit ECC, as soon as OpenPGP supports it. Yet, Elliptic Curve Cryptography is just logarithm-family cryptography on a different finite field than modular arithmetic.
  • Let's Encrypt is now trusted. - When it comes time to renew my cert, I guess I'll be switching from StartSSL to Let's Encrypt. As well as I can use it for many other servers too which now got self signed or even expired certs. We actually automatically or manually check hash for those certs, so it's not insecure at all. Actually using public keys hash is much more secure than using cert.
  • Estonia E-residency (eID,, electronic-id) makes it possible to create company on-line and soon it's possible to open bank accounts also. I'm following the project but I haven't yet personally applied for e-Residency, maybe I should next time when I visit Estonia.
  • Studied more details of international black markets and underground anonymous & pseudonymous on-line trade. Lot of good and interesting stuff there. Darkweb, deepweb, darknet, deepnet, dark net, deep we, Tor, I2P and others.
  • One long discussion said that Internet of Things will give super powers. Yeah sure! Internet of Targets will give super powers to crackers, spies, criminals and all above to intelligence agencies. - Does that still sound awesome? Well, it depends what you're planning to do.
  • Mapped out bunch of charting libraries as well as different responsive light web frameworks.
  • Read a document and long discussion how to send emails which improve customer engagement with SaaS products. Lot of tricks there. [Welcome Emails, Onboarding Emails, Re-engagement Emails, Revenue Generating Emails, Referral Campaigns] Yet I find that sites like Android Authority are actually very annoying with all that junk mail they're sending. [Acquisition, Activation, Retention, Referral, Profit] kw: sales funnel, drip campaign, abandoned carts, automation, receipts, marketing, sales.
  • Safe Harbor ruling - Is probably just a great win for European cloud service providers like UpCloud.
  • Amazon Web Services (AWS) opens office in Helsinki, Finland. - Amazon Web Services Finland Oy - I just wonder if Amazon Data Center would follow? It would be AWSome.
  • Laughed at the latest EMV crack. Afaik, I think I've heard the story earlier too. The main fail is that the card tells if the entered pin is correct or not, and when you MITM that process, you can always tell that yep, that's the right pin. Sounds like a pretty classic security design fail. - Now someone just used the technique with live production systems.
  • Using the SQLite JSON extension with Python - Charles Leifer posts again awesome Python & SQLite stuff.
  • Now I got a few virtual machines running with latest OpenBazaar development code including client & server. There's still quite many things to be done, before it's done.
  • Used again manufacturers tools as well as badblocks -nsfv to test disks that were assumed to be broken. But let's see what the results are. BadBlocks is nice tool because it can read test and write back the same data. So you can do complete read write test without destroying data on disk. Of course everything should be backed up anyway, but if everything goes well, anything isn't getting destroyed from the disk. Of course testing possibly damaged disk can finalize the destruction of it. But all important data should be in backups anyway, even if disk would die without any warning as many SSD drives do.
  • Studied even more about OpenBazaar Risk Contracts and Future Markets, Insurances aka Speculative Contracts and Dispute Resolution as well as automated network Oracles, Reporters and Escrow Agents. Lending, Bonds, Forward and Futures, Prediction and information markets. - Sorry, no link (yet).
  • Read again everything OpenBazaar project related and wrote a short memo about it. Most important is to have basic knowledge of everything related to contracts, vendors, moderators and reputation management in mind so you don't need to lookup that stuff all the time. It's just like reading for exams or certification, you gotta know it all. And be able to instantly answer how, why, when, in detail. Some parts aren't documented well enough, so I guess I have to read the source code too, I haven't done it yet, I did it with earlier version to find out undocumented stuff I needed. Source Code is excellent and detailed documentation, it just takes a while to read it out. Here's the links to OpenBazaar-Server and OpenBazaar-Client @ GitHub. One of the things they mentioned was "Asynchronous ordering and network message caching", it's just something I would love to take a look and talk a lot. Friends thought that providing fully automated oracles would be a nice service. I've been also talking about different kind of federation models and trust networks like web of trust a lot. More Sybil Attacks & Sockpuppets, security deposits and risk considerations. Reputation Graphs derived from public social network data to improve trustworthiness etc. Also studied the 'A pseudonymous trust system for a decentralized anonymous marketplace' by Dionysis Zindros. - Really great stuff, loved reading it. Yet it takes quite a lot time to think it all through. Line-of-Credit (LoC). External linked identities, etc. Studied JoinMarket and How to sort ratings - using Wilson score and what not to do.
  • Building a Risk Market for the Digital Age Using Bitcoin - Studied article in great detail.
  • I really like the concept of Astroturfing, it's just so great way to manipulate things and making it look like it's not manipulation.