Blog


The Internet is now broken

Since some weeks some internet providers start using encryption on their international links. My own provider backbone.is does this standard on all links by default so this is nothing new to me. However, it takes more than just checking a box "encrypted" to do so. And some big providers have not taken that into consideration.


On a normal ethernet, the maximum packet size is usually 1500 bytes. This is called the MTU (maximum transmissible unit). If you encapsulate  the IP packet into a tunnel such as PPTP or L2TP as it is the case for VPN's then the MTU drops to slightly lower values. IP is made the way that this always should work. but there are scenarios where this isn't the case.

Lets assume you have a path which looks like this:

SENDER ----> ROUTER-A ----> Router B ----> Router-C ----> Router D ----> RECEIVER


If SENDER uses an MTU of 1500 and sends a packet to the server and all along the way, the MTU is 1500 or more, then everything works fine.

If SENDER uses an MTU of 1400 and sends a pacekt to the server, the client machine will make smaller than needed packets but all works. The RECEIVER will send replies back to the client in 1400 byte chunks because when the connection was opened the webserver was told the client can not accept anything bigger than 1400 (the tcp mss field).

Where it gets tricky is if both sides have a MTU of 1500 but somewhere in the middle there's a smaller one. Lets assume between B and C we now have an MTU of 1300. When the SENDER sends a packet of 1500 bytes and this packet hits router B, router B has two options to deal with it. He can either drop the packet or make 2 packets out of it and forward it to C. The second is called "fragmenting" and is not recommended as it produces inefficient use of the media and it also produces unnecessary CPU load. So most routers will drop the packet and send back a message to the caller telling it that the packet was dropped and the maximum size it could use. This is also known as MTU path discovery. SENDER would then retry with smaller packets based on this info message. This info message is a so called ICMP message, also used for PING.

Now here comes the catch: Firewalls

There are many firewall administrators out there in the field who have no clue and they block ICMP completely because they fear it being abused for something. In fact in 1995 there was a vulnerability in windows NT which allowed a server to crash by sending it a few well crafted ICMP messages (so called Ping-o-Death). however those days are long gone and ICMP has a purpose. 


Think of this scenario:

You open a browser. You type  www.networksolutions.com. Your request travels to the webserver. The webserver answers with a big huge picture which is larger than 1500 bytes. The answer travels the way back to your browser but gets dropped on the way because the MTU is slightly smaller. A ICMP message gets sent back to www.networksolutions.com but that ICMP message never hits the webserver. So the webserver continues to retry with MTU 1500 and the messages get dropped again and again. In other word,the webbrowser will never get to see anything. 

This is what we have seen since Level3 has started encrypting its transatlantic link between Amsterdam and the USA. Same error with many other websites delivered from content delivery networks which also blocked ICMP. Another example was www.kickstarter.com.

The workaround is to adapt the tcp mss value on the router for messages going through so the initial request will instruct the other side to use smaller packets. But that was too much asked for level3


Wikileaks donations

After two years of my company DataCell being completely unable to process credit cards due to it's aid to process credit card donations to Wikileaks, the icelandic supreme court has ruled that this blockade by the credit card companies was illegal and has ordered the payment processor to reopen the gates which it now has done.


So if you like the freedom of press and like Wikileaks, you can now donate again on 


https://donations.datacell.com



Internet & Police?

Law enforcement has an important job in society. They look after the rules. The rules change often as the environment changes often. What was forbidden yesterday is allowed today and what was allowed today is forbidden tomorrow. As such law enforcement agencies have to keep up with the rules and the environment. Identify new hot areas and give up old areas which are no longer a problem.

I did however notice recently that lots of law enforcement agencies forget what their purpose is.  And some of them straightforward ignore the laws.  Here is an example:

Being an ISP (www.backbone.is) and hosting company (www.datacell.com) I have customers who use my infrastructure. And customers have customers who themselves have customers. Now it is natural that in such a scenario, you can end up with one "bad guy" doing something he is not allowed to. This can be a spammer, a criminal hacker, someone doing identity theft or even a murderer. There are many things people do on this world and thats why we have rules (also known as laws). If such a "bad" guy now get's looked at because he has apparently done something bad, we have the police looking into the matter. Now because we have the internet, the lazy version of the police (I'm not pinpointing to anyone specific here) thinks, hey the internet can tell us who this was and what he has done. Let's ask the internet provider who this IP belongs to and lets listen to the communication. And while we are at it, lets locate him and track all his movements, his facebook mails and which porn he watches etc. Why? Because it's so easy. Well, no its not. Laws in my country (Switzerland) specifically forbid a telecom operator to give out any information about any communication which might have occured to anyone. Its as forbidden as if your postman would open your letters to read them. 

The law foresees some exceptions though. And those are if it is a very serious crime (such as murder) _and_ there is no other way to get the information needed. And in 99% of the cases  there are other ways.

The reason for those restrictions in the law are obvious. If something like wiretapping someone has become so easy these days, this opens up all kinds of wishes. A policemman might want to listen to his potentially cheating wife's phone calls. Just because he sits in a powerful position where he actually can do it. This is abuse of power. Thats why there is always a judge who has to look at the case and take a decision to allow or disallow such surveillance. And this is a showstopper for all kinds of abuse of power. The splitting of powers is one of the most important things in a democracy.

Some countries have forgotton that and think the president should have more power so he can protect the country better. I can not imagine living in a country where anyone could get killed by a governmental order and even without due diligence. This is worse than the death penalty. It open's doors to abuse. And it will be abused more and more. I predict a revolution for that country in the next 20-3 years.

Anyway, coming back to the law enforcement agencies, specifically the police. In civilized european countries you would expect that police follows the laws in a stringent way. But lately I experience more and more that the police in europe is understaffed and getting lazy or being abused by political powers. So instead of investigating cases in detail, the power of wiretapping telecommunication is being abused instead as it's so easy to do. And telecom operators are helping them in many cases without even thinking that they break the law themselves.

I recently got contacted by a police of a foreign nation about an IP address in my range saying they investigate a crime which was done from that IP (like it was used to sign up somewhere or the like). But instead of using the normal method to go to a judge to get a judgment order and then use interpol or bilateral channels to get the information out of the country where the IP is located, they simply used "whois" to find out the ISP (in that case me) and send a fax. Well, even if I wish to help them to identify the criminal, I'm not allowed to. I need by law a judgment order. And this is the case in my country, in their country and in the country where the IP is stationed. Secondly, the request was done in such a sloppy way that not even the company name was correct on the fax. Instead the network name was used which is in the whois record (which is a very old name not representing anything anymore out of the current network). Thirdly, by looking at the reverse DNS name of the IP they could have figured out in a second that this is a useless request.

What upsets me most here is not the fact that they are lazy or sloppy or have no clue about how to use the internet resources database (you find in every part of society people who are lazy or dumb so that's no excuse). What upsets me most is the fact that they try to push me to break the law to give them that information even though its forbidden for a telecom operator to give out such information without a judge's request. And they most probably know that very well! But I see this happening more and more. It's up to the telecom providers to stand up and refuse such requests and use their brains before blindly answering such request.

I can only say: There is a good reason why splitting powers is one of the most important pillars of a good democracy.



MacOS X porting / Cocotron

Under MacOS X, you use Unix under the hood. This is basically the kernel (mach/bsd) which is open source plus the whole environment which originally NeXT has developed and Apple has adopted when taking over NeXT. This is a set of libaries in user space along with a lot of applications. The libraries are commonly referred to as Cocoa and are not open sourced by Apple (well some small parts are). Cocoa are the building block of all MacOS X desktop apps. Everything you do to open windows, to have menu bars etc is normally done using Cocoa.

Now if you port application from or to MacOS X you have various ways of doing this.

If you come from the Unix environment, you can write apps which use the Xwindow system environment to use as a gui. Apps will look different to native MacOS X apps and certain things are not really direct such as copy & paste from/to OS X apps etc. But I have seen some applications which work very well in this environment (wireshark for example) and some who behave very odd.

If you come from a Windows environment you could use Wine to emulate windows API calls to then use Xwindow again to get on to MacOS X desktop. It works but it doesn't look like Mac nor does it perform too well. Running Paralles and a virtual Windows machine with the same native app is usually faster (but you need to own Windows and Parallels or VMware Fusion or similar).

The easiest to port is command line stuff, that usually works 99% out of the box as there we're talking straight unix system calls.

Now imagine you do the other way around. From MacOS X to other platforms. Now again, command line will work the other way around. To bring the Cocoa environment to Unixes and Windows 

Now if you want to write cross platform applications the other way around, you can't use Cocoa on other platforms. You could  write your initial app under MacOS X using the Carbon framework  which emulates the MacOS 9 layer and some folks have redeveloped that API on Windows. But frankly, Carbon is no longer supported so its not a good idea to base new development on it. Or you could use Xwindows to easy port it to other Unixes but then it doesnt look as geeky as it could under MacOS X. And we all want that right?

So there's basically no way around Cocoa. To have a cocoa like environment under unix there's the GNUStep environment which works nicely for older Apps. If you want to use the newest ObjectiveC 2.0 stuff such as @synchronized {}, @properties, for(object in collection) and the like (you know the stuff which saves you thousands of lines of lame repetitive ode you have to write otherwise) then you better go with Cocotron. Cocotron is another Cocoa clone. It runs on Windows and various Unixes. Its done in a way that you compile everything on your mac using cross compilers and then only run it under Windows or Unix. This cross compliation has advantages and disadvantages. The advantage is that you compile everything out of one source tree in one go and you can use the nice Xcode for that. The disadvantage is that you definitively need a Mac and that building working cross compilers is a messy process. This especially since Xcode 4.x and since Apple has switched to clang instead of gcc. Gcc is being phased out on MacOS X and lots of objective C 2.0 stuff is not backported yet into the mainstream gcc. Apple's own source tree of gcc however is not being further developed and its not able to generate code except its own binary format Mach-o. So you can not easy produce ELF binaries for Linux under MacOS X with a good objective-C 2.0 support without a lot of hacking stuff together. The developers of Cocotron have done a long way that road and got it amazingly well working for Windows cross compiling. The Unix world however has been left behind and has not been well maintained. So creating cross compilers for Linux for example was failing a lot of times for me. I have thus took another approach to compile cocotron and apps based on it directly under Linux and instead of using GCC I'm using clang / llvm which gives way better results in objective C 2.0 support. Furthermore clang gets all the blessing of new features from Apple automatically as Apple is putting their changes back into clang's source so we are way more long term safe. In clang, the compiler doesn't care if the output format is ELF or Mach-o or whatever. The llvm backend takes care of that. That's the big advantage of llvm. To get cocotron to compiler under Linux properly it took quite some work but now we have it working and its working great!

If you want to try to port your MacOS X code to Linux, then consider using Cocotron. How to get a working compiler and the libraries done, you can find on my separate page cocotron.fink.org where I have documented all the steps to get it working in detail.


EU comission (Wikileaks, DataCell vs. Visa & MasterCard)


The EU comission  in Brussels has investigated if Visa & Mastercard have violated competition law when they did close down on processing credit card donations towards Wikileaks. My company DataCell ehf was the payment processor for donations towards Wikileaks in 2010. We got cut off by Visa and Mastercard due to that even though we did not do anything wrong. Political forces where pushing them to do so but legally speaking they find a million other excuses of which none upstands in court. We even had the first victory in court in Reykjavik who ruled in our favor and ordered the card companies to reopen. Never the less nothing happens (they appealed). So far we are disconnected from any payments, for our own services as well as for donations to other charity organisations whatsoever. This is discrimination by a market dominator at its best.

The EU commission had to investigate this cause. This preliminary investigation was to verify if they have to fully investigate. Today they don't think its of relevance. They write:

...because it is unlikely that any infringement of EU competition rules could be established.

If you follow the discussion in the EU parliament then its the clear will of politics to not allow foreign (US) control over european financial transactions. The comission's assessment to not even investigate is in total opposite direction of the political will.

If you read the full reasoning, it basically sounds like they where hunting for an excuse to not have to investigate it. If you follow their thinking path in their intention to refuse then the conclusing would be that if harm is done to a small to medium enterprise and it disappears out of the market, then the player who does harm is not violating anti competition law because the small enterprise disappearing out of the market is not having a significant change on the market itself. (one small player less in the market doesn't change the market mechanics). So its most absurd as the intention of the law is especially this: to avoid over powered monopoly like players to dictate the market. And that's clearly what happens in our case. Visa decides that we can not do business while the french can do exactly the same business under exactly the same conditions today. This is an economic declaration of war from Visa but because Visa is not gaining anything directly from doing so, its not considered harmful to the market as such (so the reasoning of EU comission).

There is another side effect which they have not even looked at. Visa's doing in Valitor's case in Iceland has resulted in the fact that we are also disconnected from payments from American Express. American Express have confirmed in writing that they have not given any orders to close us down. So if Visa is saying, disconnect DataCell, then  everybody obeys their orders and disconnects them from Visa, MasterCard AND American Express while American Express has no clue about that. So Visa can set the rules of the market and  dictate other credit card companies whom they can serve or not anymore. This is competition control at its finest. So it is mostly absurd that the EU Comission has not even considered that effect of the case and outright says its uniklely that there is any infrigement of EU competition rules. Hasn't the EU comission not been exactly established for this purpose?

And nobody seems to even take into consideration that this is not about Visa per se but about US politics controlling the EU market. And if the EU comission can't see the real mechanics behind Visa and close their eyes in front of all the facts then we have to take on the burden and go all the way to EU court to get justice.

Andreas Fink

CEO

DataCell

Elections Grosser Rat Basel

I'm a candidate for the "Grosser Rat" in Basel. Why did I put myself up for election? I'm a busy man already.

Well fact is, that the pirate party, I am member of, have lots of good ideas. Some are unconventional, some are maybe far out of reach but most are generated out of todays world from a position of a young and internet oriented population. The internet is here. That's a fact. And it does affect our daily life more than ever. Many laws where written many many decades ago where nobody could think of something like the internet. This requires that the law of today has to be changed/adapted/appended to take into consideration of the new world we have today.

Unfortunately, many elected in todays political environment, have no clue about the internet. This leads to new laws which make little sense, are not democratic and might simply help the old players (who have problems following the new business models) protect their richness instead of allowing new players to compete. In other words its important that new laws are written by people who can understand the full consequences of new laws. And this can only be done by people who understand the internet to the fullest extent. That's why it's important that we have the Pirate Party going into the Grosser Rat of Basel because the Pirate Party is full of such people. The old structures lead to protectionism and protectionism leads to corruption. Corruption leads to unfairness against the public and this is not democratic at all. In today's world many so called democratic states have lost their basic democracy rights. The USA is an example where torture is now a "normal" thing. The splitting of democratic power is a thing of the past. While I love the USA as a country and its people, I think we will see some dark times coming up from the superpower which doesn't care too much about international law. But back to Switzerland.

The pirate party is also full of very young people who do not have the wisdom yet of what working together with other political entities means. However I believe I do. My business life has taught me politics in a way that working towards a doable compromise solution is the way better solution than trying to push through your own solution to the fullest. This is what Basel needs. With 46 year's I'm the oldest person which is votable from the pirate party. But hopefully my long time experience will be a fruitful addition to the politics of Basel. And hopefully my contributions to local politics will be that we will not see corruption and a 3rd edition of the "Fichenaffähre".

The state is voted by the public and it has an obligation to serve the public. Otherwise we don't need a state.



Wieso Englisch / Why english (and not german)

Manch einer wird sich Fragen wieso ich in Englisch blogge und nicht in Deutsch. Die Gründe sind vielfältig. Einerseits bewegt sich mein Arbeitsleben zu 90% auf Englisch. Mein persönliches Umfeld spricht ebenfalls alles Englisch, wenn auch vielleicht als Zweitsprache neben Deutsch. Insofern ist es eine Tatsache das ich mit Englisch weitaus mehr Personen erreiche als mit Deutsch.

Das mag zwar seltsam sein für Leute die sich überlegen mich in den Grossen Rat von Basel zu wählen. Andererseits ist Basel eine weltoffene Stadt mit viel internationalem Flair.

----

Some people might wonder why I blog in english and not in german, my native language. The reasons are many. Fact is that my work is done in 90% in english. My friends all speak english, maybe not as their primary language. Given those facts, its clear to me that I reach more people in english than when writing in german.


This might sound strange for people considering voting for me for the "Grosser Rat" in Basel. On the other hand, Basel is a city with lots of international connections which is important to keep in mind.



Iceland

If someone wonders why I'm so fascinated about Iceland then watch this video and you will understand better. 

Besides the natural beauty of the country, there are many business aspects such as 100% green energy, a booming economy and a vibrant pulse. Iceland was hit hardest in the financial crisis in 2008 and had it's 3 biggest major banks going into bankruptcy. Never the less it has almost fully recovered since. Not easy for such a small country which ends up with having state guarantees for loans of multiple times the GDP of the whole country.


Old blog posts

I'm migrating my old blog to this new blog. Please be patient.


©2021 Andreas Fink