VPN, Networking, OpenBazaar, Images, IPv6, Auth

  • Configured VPN for a friend and tested everything including all protocol options just for fun. We've also found interesting feature, even if the VPN gateway itself is very well reachable. it seems that the VPN operator got some kind of throttling in place. But no, that doesn't work by causing packet loss. Actually there's no packet loss at all. Which is great. But they seem to limit packet rate. So if there are several parallel CUBIC connections running, the connection latency easily goes totally insane, almost up to 10 seconds or so. But after small fine tuning, everything runs smoothly just below the rate limits and latencies remain nice. Also configured bash scripts, which first tries to reconnect the VPN for 3 seconds and that doesn't work, it sleeps for a minute, and tries again. Also naturally configured certain applications so, that traffic won't flow unless the VPN is connected. Also tested VPN on all platforms which support it, like Android burner phones, etc, just to see if it works. Also configured VPN to be application specific. So same environment can easily run programs which are routed using VPN and some applications which do not require VPN which are allowed to access the network directly. This of course means that the system is designed to be usable, instead of tin foil hat secure. But yeah, that's real world. Tin foil hat security systems are separate independent systems with of strict configs.
  • I'm not too familiar with different kind of network throttling methods, because those are rarely used in Finland. We've got very high degree of net neutrality and usually bandwidths aren't prioritized or capped, except on some cheap mobile connections. Long time ago, we used to prioritize traffic, but bandwidth is so cheap, it's better to get more than bother with prioritization.
  • Some claim that VPN improves privacy. But what if the VPN gateways are actually "point of interest" and having VPN gateway traffic kind of flags you. Just like might happen with Tor traffic? Who knows. These flagging patterns aren't public. But there has been claims that you're getting flagged anyway by downloading something like Tails, etc. Who knows. And does it matter at all?
  • It seems that OpenBazaar-Go 2.0 dev team guys have fixed the annoying file handle leak that used to bring system down if the system wasn't restarted often enough.
  • The annoying Task Scheduler problem disappeared after one boot, just as mysteriously as it started. Now everything's working and nothing got changed and nobody admits doing anything on the production platform. Lot of work, for nothing, and nobody knows what the problem actually was. So annoying, but let's face it. If there's no problem, nobody's going to investigate the case. Case closed as solved. Without solution. Haha.
  • Daily WTF. Top web designer was wondering when I said, nice site, but really shove those png files... What png? She didn't know what's the difference of PNG and JPG. I just can't stop loving these braindead people. Why put 8 megabyte PNG file, when nobody notices any difference if you replace that with 130kb JPG. I personally confirmed that there's no way to tell the difference. Except one of those choices is sane, and another one is ultra slow, and utterly stupid way of wasting web visitors time, and networking resources, etc. Especially when same bleep is served to mobile users too. But this is great example how "cool" and "quality" are being produced, by "top" people. - Yes, she has been lead web designer for over a decade. No $hit.
  • IPv6 adoption hit 20%. There's still way to go, but it's clear that progress is being made. As stated, I've setup all systems at work and at home to fully support and actually use IPv6 years ago.
  • One friend laughed when I told him that I'm often using basic authentication. I just don't get what's the point of laughing. Basic authentication is extremely simple way to limit accessibility to potentially insecure web-application / web-service. It's just like network IP restrictions. It's crude, low level layer, blocking access. This doesn't mean that the service it-self couldn't have authentication, signatures etc. Basic auth and IP address restrictions are just there to block "most of traffic out". And a way to limit attack surface on service which might be insecure or easily DoS-able, or so. With IPv6 I'm often using whole /32 subnets for very rough access lists. Yes, it's not detailed access list, but it's still much better than allowing whole world to access the service. And it doesn't mean that the addresses which pass that white list, would be practically allowed to do anything without further identification / authentication / handshakes. - Does someone still disagree with me? Yes, it would be awesome, if all web services would be bullet proof and run on super servers, which are totally DoS proof. But that's not always the case. So why not to take very simple steps to block 99,999% of unauthorized access on very low level?

2018-10-14