Companies - 2

Unlike last year, I didn't manage to get me an advent calendar this year. Unfortunately for me, Central European on-line stores won't do deliveries to Finland anymore.

This year I had to go for a much less elegant solution:

That's one for each of the 24 days.
Personally I'd prefer the real ones I had for the past couple years, but this will have to do.

I've been an active IPv6-user for many many years. Of course my ISP doesn't offer a native IPv6, so I'm using a tunnel from SixXS. They have been providing such tunnels free-of-charge for years, and for that I thank them and the ISPs volunteering their capacity for us nerds to have decent IPv6-connectivity. SixXS got tired for IPv6 not getting any traction, the ISPs have almost zero commitment for allowing people to use real, native IPv6. SixXS has a campaign called "Call Your ISP for IPv6!", but I don't think that's going to make much of an impact. When any ISP is actually asked about their IPv6 support, they'll stall by "we'll announce it later" or "but we do support IPv6" (by some unusable mechanism).

When looking what's happening on the ISP-side, Telia (or Sonera, as we call it here in Finland) has enabled 6rd for their connections. It combines DHCPv4 by returning enough parameters for an IPv6 setup with a 64-bitmask to be done. It kinda works, but ... still not the real thing I'm after. Also Elisa and DNA, two big mobile telcos in Finland, started offering IPv6 (DNA, Elisa) for their customers, but ... I'm not going to change my home fiber for a mobile connection. So something is happening at the telco-scene. I'm just waiting my ISP (Elisa) to act on the wired side too.

The other side of the chicken-egg -problem are the services. There is no real commitment on their side either. For example Amazon AWS (a really huge infrastructure provider) really doesn't support IPv6, they have nice IPv6 support for Internet-facing load-balancers, their S3 storage and their content delivery net Cloudfront, to mention few. But when it comes to running a server instance with real native IPv6, no dice. So, you can market your service to be IPv6-ready, all the critical Internet-facing services really do support IPv6, but your infra runs on IPv4 private addresses. Not cool.

And when it comes to services, this is a typical scenario:

That's what's been happening for LinkedIn for I-don't-know-how long. At least this week.

Me being the nerd I am, some background investigation:

# telnet www.linkedin.com 80
Trying 2620:109:c007:102::5be1:f881...
telnet: connect to address 2620:109:c007:102::5be1:f881:
Connection timed out Trying 91.225.248.129...
Connected to www.linkedin.com.
Escape character is '^]'.

A classic.
Their IPv6 is down and they don't know about it. This is their level of commitment:

On September 2014, they announce to have done a "Permanent launch of IPv6". But none of them are using it themselves to realize it has been down for a week! The really scary thing is, that they cannot afford $10 a month for a Pingdom check.

That's what I recommend for everybody to use for monitoring on-line services. Any reputable admin needs to know the second a service is out of reach by general public. IMHO that should include also admins at LinkedIn.

When it comes to lack of IPv6, I need to come clean. This blog isn't running on IPv6 either. Since most of you don't have it, it is impossible for you to know. My co-location host cannot offer me the IPv6, so no avail.

But why? Why is there no real commitment for IPv6? What's blocking all sensible people for going all-in IPv6? Everybody knows, that all possible IPv4 addresses were allocated by IANA to telcos and ISPs in January 2011. So, there is no more. Of course there are plenty of available addresses in RIRs to allocate for regional telcos, so we're not completely bankrupt with IPv4-addresses. But that day is eventually coming, it's just a waiting game. Notable efforts like World IPv6 Launch Day yield no mentionable results.

So what's holding us back? I don't know anything else except everybody going on the path-of-least-resistance. Since there are available IPv4-addresses, why risk a change. With change things can go broken or something may shift so that some people will lose some and others will win some. Not that much of a risk, if you ask me. But here we are, inching towards IPv6 very slowly. Speed it up, goddamnit!

I got a comment from Mr. Martin, that Google changed their SMTPd, so I'll have to revisit the article.

As suggested, new /etc/postfix/smtp_reply_filter would be:

#New 2016/09:
/^5(\d\d )5(.*. \S+ - gsmtp.*)/ 4${1}4$2

Above one is working perfectly on my box.

Again, thanks for Mr. Martin for bringing this topic to my attention.

I was about to do some testing with a cheap Elastic Compute Cloud Linux-instance, but ... AWS wouldn't allocate me one.

Here is the reason from Amazon EC2 Spot Instances Pricing:

Somebody really lost his marbles and is paying ludicrous price for a box.

Ok, in reality that has to be work of two (or more) automated systems competing with each other in a situation where capacity of i2.4xlarge instances is scarce. Any human would do what I did, just pick the bigger box and be happy about that. That instance type with normal pricing costs like $3.41 / hour, and with spot pricing it goes ~60 cents / hour, but not when automated bidding goes haywire.

I'll post something about not computers for a change. Its pretty close, but still, not about computers.

Any self-respecting nerd (such as me) loves video games. Doing first-person-shooter games IRL is always both fun and a lot more difficult than on a computer. 

We had a company activity and went to nearby Megazone for couple rounds of always fun laser tag. Since it was my first time ever doing that, it was like a slap in the face. I'm a 2nd lieutenant in FDF reserve, so I have basic understanding of tactics in a battle. Also I've played video games since early 80s and FPS games since first Wolfenstein. On top of that I've been paintballing enough to know that there is enough realism in video games and paintballing to match real military tactics. However, anything I knew about combat, tactics and fighting at that point was usless.

In the game there were three teams and you, so pretty much everybody you see is an enemy. Megazone is mostly about movement and speedy tags of any visible opponents. The worst thing that can happen to you there is that you're unable to fire your weapon for 8 seconds. During a 25 minute round that's not too dangrous. In paintball or war you're out on the first "tag", here you aren't, it's just a game of accumulating points.

Here are my stats from first round:

I sucked!

My handle in the game was Macro (in the Red team), so being 8th out of 14 wasn't that good. Tactically the maze was a nightmare! In the original Wolfenstein it was possible to be hit only from front, back or sides. In Megazone there were 2 floors, but it was a metal grid walkway making it possible to shoot trough. That made it 5th direction where getting hit was possible. At best I found couple locations where it was possible to get some cover and get hit only from two directions. The only even semi-functional tactic I found was to ignore any defence, cover and cautiousness. Just going recklessly forward and out-gunning everybody on a reaction seemed to work good. Also sniping people long-range was a really good tactic, sometimes I could do 4-5 people from a single position. They never saw me. I also did try attacking enemy bases and defending own base, but they were totally pointless exercises in futility, I spent too much time trying to figure out the value of those.

Here is my second round:

Quite an improvement in points and ranking. I was best in our team and 3rd in total!

Megazone was great fun, but with my background, it'll never be my favorite thing. I want to see my opponents suffering when I hit them, in laser tag that doesn't happen.

Every now and then I need a paper copy of something. In Finland, which to my observations is quite far advanced in the paperless processes (working environment or otherwise), that's rare. The obvious exception to the rule is bookkeeping and banks. They won't live without a hard-copy of something. For the purpose of producing a printout I have a Samsung color laser printer. When it was new, I even made a humorous note of it.

The general grievance about modern printers is, that they cost around € 200,- and almost immediately run out of [insert a name of expensive supply product here]. In my case, nothing else than all colors cost way above € 300,-. But that's not my rant-of-the-day, I knew all about that when I decided to have the unit shipped to my front door. Korean engineers @ Samsung made the actual process of changing a color cartridge a very simple one. I have to say, that hardest part in that is un-boxing the new ones. They are so tightly vacuum-sealed. So, no groaning about that one either.

What do you do with those darned expired things, when you're done!!

I had replaced the black cartridge earlier, it always runs out first. In this instance, I replaced only the colour ones (CMY). So, only 3 useless boxes to throw out of the house.

From The Web, I found somebody having the same problem. This article is in Finnish, but it's pretty much about Samsung color cartridge not having any kind of recycling info in it. Samsun's rep reponnds, that "oh yes, there are instructions". This is the only thing I found about the subject:

It says to go to www.samsung.com/printer/recycle for information. I did and landed at Samsung S.T.A.R Programme (Samsung’s Takeback And Recycle). It has following information about returning used cartridges at How to return your used cartridge -page:

1. Place your used cartridge in the bag and box which came with your new Samsung toner cartridge. In case you wish to send more than one cartridge for recycling, please put all cartridges in one big box, or tape the individual boxes together.
2. Close the box using clear tape;
3. Register yourself/your company on our STAR website. In case you have already registered yourself/your company, please log in using your user name and password. Chose the number of empty cartridges you would like to return and press the ‘get your label!’ button. Your order will be processed immediately. Only one (1) return label will be sent to your registered email address or will pop up at your screen;
4. Print the return label and place it on the large side of the box. If the return label contains a bar code, please keep this bar code visible;
5. Drop off your box at the nearest post office or include it in your usual mail collection.

Well, I guess I'll have to register to the site and get myself some clear packing tape. After doing that, it was possible to print following packing slip:

Looks like a valid customer return information required by postal services. Now the last thing is to go to a post office and leave the bundle there.

So, the information was there. Obviously the entire process is a bit more complex than just taking out the garbage, but I guess Samsung guys will properly handle all the troublesome waste there. That should save the Earth!

Like last year, I happened to get me an advent calendar this year too. The layout is a classic 24 x 0,5L containing 24 lids for the days in random order:

There seems to be .... erhm.... problems transporting alcohol to Finland, and many European vendors have pulled Finland off their available destinations. Amazon.de still delivers Lieferello goodies to us, so I got my Drinks & Fun Die Weihnachtsbrauerei Bier-Adventskalender. The same thing at Lieferello site would be here.

Now I'm just waiting for the 1st of December.

Update 17th and 28th Dec:

To squash a FAQ: The beers in the calendar are different. It wouldn't make any sense to buy a 24 pack of beers and call it an advent calendar. See:

1. Felsgold Premium Pilsener
2. Carl Theodor Lager
3. Felskrone Premium Pilsener
4. Pilsator Pilsener
5. Durlacher Hof Weissbier
6. Dominikaner Pils
7. Brauburger Premium Pilsener
8. Harboe Bear Beer Strong Stout 8%
9. Eichbaum Red Beer
10. Edel Bayer Urtyp Hell
11. Darguner Pilsener
12. Kress Bayrisch Zwickel
13. Barbarossa Premium Schwarzbier
14. 5.0 Original Pils
15. Durlacher Hof Weissbier (Hefeweissbier)
16. Frankenthaler Germania Premium Strong
17. Regenten Pilsener
18. Maisel St. Michaelsberg 1122 Premium Pilsener
19. König Wilhelm Hefeweissbier
20. Mecklenburger Pilsener
21. Dinkelacker CD-Pils
22. von Raven Pilsener
23. Eichbaum Pilsener
24. Barbarossa Brauerei Helles Hefeweizen

When it comes to unlimited supply of failures, one of my absolute favorites is YLE. Whatever they try, they seem to fail at it.

They have stumbled with their on-line service (Areena) a number of times. It took them years and years, but recently it has been at level, semi-decent service, no major failures, works even on iPad.

As they are having an uphill fight with piracy and people not obeying the country limitations they are forced by distribution agreements, they did the only sensible thing anybody can do: if you're using a HTTP proxy, then you're out! The only natural ruling can be that anybody using a proxy is accessing their service from abroad.

Like this:

The license of this radio show says that they will apply geo IP restrictions to it to limit audience in Finland only "( Kuunneltavissa vain Suomessa )". It will result in sorry-you're-not-in-Finland ("Ohjelma ei ole kuunneltavissa ulkomailla") and a refusal to play. However I am in Finland, I should be allowed access to that.

These guys are known for their inability to think smart. It is impossible to know if somebody abroad is using a Finnish proxy or not. The only possible detection method is checking for X-Forwarded-For HTTP-header.

That should be an easy fix. Let's see:

# host areena.yle.fi
areena.yle.fi has address 91.229.138.2
areena.yle.fi has address 91.229.138.6

Whois information for their IP-block is:

% Information related to '91.229.138.0/23AS57066'

route: 91.229.138.0/23
descr: Yleisradio Oy
origin: AS57066
mnt-by: DATANET-NOC
source: RIPE # Filtered

Adding this to /etc/squid/squid.conf:

# Forwarded-for -stuff off for YLE
acl yle_areena dst 91.229.138.0/23
request_header_access X-Forwarded-For deny yle_areena

... and restart will do the trick! Squid-proxy fully supports this kind of behavior with acl and request_header_access -directives. Now YLE-people are blissfully ignorant about you using a proxy or not.

Update 24th Mar 2015 and 1st Jan 2016:
Also MTV katsomo.fi has gone for this stupidity. The fix is obviously:

acl mtv_katsomo dst 23.54.11.0/24 # Katsomo.fi (Akamai)
acl akamai      dst 23.32.0.0/11  # Akamai

request_header_access X-Forwarded-For deny mtv_katsomo
request_header_access X-Forwarded-For deny akamai

Now they allow you to watch via proxy.

As I test different network equipment regularily, I need SIM-cards and data plans for them. All of these are generally available and affordable, just go to nearest R-Kioski and get one.

Elisa (Saunalahti)

Elisa is the biggest telco with number of customers and market share. Their consumer products are under Saunalahti brand, including their pre-paid data plans.

Pre-paid data plans:

• One day 4G (100 Mbit/s) 1.90 €
• One week (21 Mbit/s) 6.60 €
• One month (0,25 Mbit/s) 6.60 €
• One month (4 Mbit/s) 14.90 €
• One month (21 Mbit/s) 16.90 €
• One month 4G (50 Mbit/s) 19.90 €
• Six months (0,25 Mbit/s) 27.80 €

Incoming access:

None. All pre-paid and post-paid data plans are NATed. Post-paid 3G data plans have the possbility of changing into a non-NATed one, but that options is not available for 4G. This is total crap!

TeliaSonera

TeliaSonera is the 2nd biggest telco in Finland. As they operate also in Sweden, Norway and Estonia in general, it is the biggest corporation of these three.

Pre-paid data plans:

• One week 4G (50 Mbit/s) 12,90 €
• One month 4G (50 Mbit/s) 23,90 €

Incoming access:

None. All pre-paid and post-paid data plans are NATed. Post-paid data plans have possibility of subscribing a service (for small fee), to allow public IP-address. Having a fixed IP instead a dynamically allocated one costs extra.

DNA

DNA is the smallest player (excluding virtual operators). When it comes to telcos, size does not matter. Their coverage is equal to bigger players.

Pre-paid data plans:

• 1 GiB transfer, six months 4G (150 Mbit/s) 9,90 €
• 10 GiB transfer, six months 4G (150 Mbit/s) 19,90 €

Incoming access:

All data plans are allocated a dynamically changing public IP-address.

List of open TCP-ports (IP-protocol 6) found with Nmap scanning my own IPv4-address:

• 500/tcp
• 1024/tcp
• 1723/tcp
• 2222/tcp
• 4002/tcp
• 5001/tcp
• 5800/tcp
• 5900/tcp
• 6001/tcp
• 7001/tcp
• 8001/tcp
• 8081/tcp
• 8082/tcp
• 8083/tcp
• 8088/tcp
• 8090/tcp

I also tested other incoming IP protocols and they seem to pass without limitations. Running VPN or IPv6-tunnels is completely possible.

Conclusion

The obvious winner is DNA. It is affordable, no NAT, incoming access is possible, although limited. The only drawback is for people requiring lot of transfer, there is limit for amount of bytes. If you run out, just add another 6 month package, and you're good to go.

2nd place goes for TeliaSonera post-paid Opengate-connection. It is still affordable (17,- € / month, incl. incoming access 3G/4G), no transfer limits and allows full incoming traffic without filtered ports.

3rd place goes for Saunalahti one day pre-paid. It offers speed, no transfer limits, but I had trouble comprehending their system. As I already had a pre-paid SIM, all I had to do is to add credits to its account, but ... I somehow didn't manage to do it. I did do it before, but ...

I survived Slush 2014.

It takes a lot of energy, but is worth it. The event itself is quite an experiment. 5 stages full of talented people talking about their ideas and what they did wrong or right to deserve the right to be speaking to all of us. All the parties that are taking place, when the actual event is not will also consume a lot of energy.

Of all the events, speeches and pitches my personal picks are (I intentionally didn't include those, to whom I'm somehow affiliated with):

• Wooga's CEO Jens Begemann describing how they create hit games, aka. the hit-filter. This seems to be a working recipe from Supercell. The fact seems to be, that if there are 100.000 games in the App Store, only top-15 of them are making serious money. So, your game needs to be in top-15, not top-500.
  
• Dragonbox creator Jean-Baptiste Huynh telling how he wants to change the way kids are learning algebra with a completely new approach by playing a game. It seems that schooling everywhere in the world is sticking with 300 year old methods: to sit on your desk and in order to prepare yourself to work successfully by a conveyer belt of a factory, you must sit still and do as your teacher tells you to. Doesn't sound like 2010s to me. Huh!
  
• Kano founder Alex Klein wanting to turn kids into super-kids by freeing their thinking by introducing everybody into computers and programming. The apparent fact remains, that currently there exists over 8 billion computing devices in the world and only 50 million of us know how to program them (amateurs and professionals combined). His idea is to empower non-nerds to create nice things with computers too.
  

My thanks goes to Slush organizers, Tencent Games and Pocket Gamer.

For many many years I haven't waited the christmas that anxiously, that I would have an advent calendar. Not even a chocolate one. This year I chose to make an exception to that. I got a recommendation to get a proper one from Lieferello.de. Here it is:

This calendar contains 24 (as any advent calendar does) cans of beer. Nice! Finally a good reason to count days for the 1st of December.

If you want to order one, here is the direct link to Die Weihnachtsbrauerei Bier.

When I first saw an ad popping from my Windows 7 system tray I was pretty convinced, that my computer had been hijacked, keylogger installed, all my files sent to a Chinese server and police knocking down my door, because my machine is serving cp-pics in a torrent network. Then I realized, that the advertisement is about Nero. A software, that I bought and installed voluntarily. See:

As you can see from the dates on the pictures, that I've been waiting for this to happen again. This time I was ready and could confirm, that the culprit was indeed Nero. It is totally unclear to me, if I agreed to this in end user license agreement, but that's what they are doing. Perhaps I also gave the birth rights of my first born son like F-Secure did in London (see: Londoners give up eldest children in public Wi-Fi security horror show). Anyway, I'm not exactly happy, that they choose to do this. Nobody knows what else are they doing.

By googling, I found out, that I'm no alone with this problem. Nero's own discussion forum has a thread with topic Why do you think it's acceptable to spam people's PCs?, and there is actually removal instructions.

First go to Task Scheduler:

There is an own folder for Nero and in it, there is a NeroInfo running at install time every 2 days. It most certainly does not display ads every time it runs, but there is the master of this botnet somewhere giving instructions on when to run and what to display. Just delete the task:

And finish it off by deleting the files also:

Now it should stay off for a while! This is a fine specimen of paid software screwing you to the ass.

One day I got an e-mail from Google+ saying: "HQ Code Shop Oy hasn't shared anything on this page with you". I was more than puzzled. Sure I haven't shared anything with myself on Google+.

I clicked the link and got to the page. It had a Manage this page -button at the bottom:

It didn't do much good:

All it said was: "We are sorry, but you do not have access to this service. Please contact your domain administrator for access". Aow come on! Why did you have to create a page for something that you don't own and don't let the owner to control!

I went to my Google Apps administration console:

Yes, I have Google+ enabled for myself. However, that didn't change anything. I still was not able to manage my own company's page.

Many hours of surfing the web, reading many absurd attempts to fix the problem, and nothing. Then I went back to the Other Apps -section and started reading the descriptions:

It says "Add or edit your local business listing on Google Maps" next to Google Places -service, which I hadn't subscribed. I enabled that and hey presto! Suddenly I was able to manage the page. Naturally I had to pass the automated phone call test from Google, but I finally got control of my own property.

This is yet another shame-on-you-Google -thing they do while going towards world domination.

My blog has been on a low maintenance mode, due to the fact that I had other engagements. I was moving to a new house which has an FTTH or Fiber to the Home -connection.

The incoming connection is a 1000BASE-BX Ethernet and the connection carries also a IPTV streams in it. Of the given 1 Gbit/s I'm currently purchasing 250 Mbit/s downlink and 50 Mbit/s uplink. This costs me ~60 € per month. Not very expensive for such a quality bit, huh? There is a one-time building cost for 1800+ € for the connection, but that is not slowing me down.

In detail the connection is implemented with an Ethernet fiber to copper media converter and a CATV-module doing IPTV to DVB-C (SD-channels) and DVB-C2 (HD channels) media conversion. During the setup, the fiber-guy first built couple of meters of indoors cabling connected to the thick ground fiber. Indoor fiber connects to a Swedish made Inteno FG500 box. It looks like this:

In the first picture, there are 4 gigabit Ethernet (copper) connectors and a power connector to the CATV-module. Ethernet ports 1 to 3 are routed with a firewall and NAT, but luckily the port 4 is a bridged one and that's the one I'm using. From that I can get a public IP-address directly from ISP's DHCP-server.

The box splits into two halves, CATV and the "regular" Ethernet part. Parts are connected via power and fiber connectors:

The router has internal IP-address of 192.168.1.1 and it contains very typical web-interface for managing the box. Management looks like this:

WAN-parts are configured to copper Ethernet-ports with interface grouping:

It took me a while to figure all this out. It really matters to which LAN-port the cable is connected to. The WLAN-part can be deactivated and I did just that. I dislike those integrated crappy boxes very much, they are unreliable, insecure and what else ... Being a Linux-man I want to use my favorite Linksys and DD-WRT for any wireless needs.

This has got to be the best part of having a FTTH. The speed! Oh my god! Here are some sample results:

When analysing the results, two things come to my mind. First, Speedtest.net and the measuring servers it has don't go beyond 100 Mbit/s in any conditions (the software displays a maximum of 100 Mbit/s in it). Second, when measuring really fast speeds like I have here, the measurements are very unreliable and the results vary quite a lot when running number of tests in a sequence. In all cases, the downlink measurement is never 100 Mbit/s or even near it. 88 Mbit/s is pretty far from 100, or from the 250 Mbit/s what I'm paying. The uplink measurements are even worse. Those servers don't expect to be hit that hard (perhaps they see a DoS-burst?). Finally, ping 0 ms does not sound very reliable either. I'd assume 2-3 ms to be a best reading in the optimal conditions.

I've been running with this connection for a couple days only, but the assumption is that the uptimes it can keep are amazing. An ADSL-connection is pretty stable, but a fiber should be the rock-solid way to go, that's what I'm expecting from it.

Update Oct 2014:

Speedtest.net indeed goes beyond 100 Mbit/s:

I was renewing a SSL-certificate for a customer. They had been using GeoTrust earlier, so I went there. It was the first and most likely the last time I do business with them.

The order process was pretty similar to the competition. A CSR was submitted and all the necessary information was given. After submission there was a thank you -page and they sent an automated e-mail with information that the order is pending, and will be processed after 5 to 7 business days.

After that, nothing. After waiting for 12 days out of with 8 were business days, my patience ran out. I contacted them and requested to expedite the process. Yet another business day passed, and then they called me after 7 in the night and informed, that there was a mistake in the information I had gave them. I corrected the info, got automated e-mail about it and went into yet another wait.

Two more days later they sent an e-mail that the verification call to customer failed. Their mail had the number in it and it was obvious, that they assumed that the customer was located in USA. Even though, the information stated Finland as the country. I got an e-mail about that too.

At the point, when they issued the new certificate, I was surprised. Against all the odds, they managed to verify the customer in less than three weeks. The real suprise was, that at that point their e-mail replies started pouring in. The lag in their e-mail processing was huge. Last of the replies came 6 days after the certificate was issued. It's beyond stupid, that none of the communication I had with them were actually recorded for the purchase process. Apparely all of them went to a distant support site, which has nothing to do with any of their other actions or operations.

Is it just me, or does GeoTrust's way of doing business suck?