707 stories

Reverse Engineering and Serial Adapter Protocols

1 Share

In the comments to my latest post on the Silicon Labs CP2110, the first comment got me more than a bit upset because it was effectively trying to mansplain to me how a serial adapter (or more properly an USB-to-UART adapter) works. Then I realized there’s one thing I can do better than complain and that is providing even more information on this for the next person who might need them. Because I wish I knew half of what I know now back when I tried to write the driver for ch314.

So first of all, what are we talking about? UART is a very wide definition for any interface that implements serial communication that can be used to transmit between a host and a device. The word “serial port” probably bring different ideas to mind depending on the background of a given person, whether it is mice and modems connected to PCs, or servers’ serial terminals, or programming interfaces for microcontrollers. For the most part, people in the “consumer world” think of serial as RS-232 but people who have experience with complex automation systems, whether it is home, industrial, or vehicle automation, have RS-485 as their main reference. None of that actually matters, since these standards mostly deal with electrical or mechanical standards.

As physical serial ports on computer stopped appearing many years ago, most of the users moved to USB adapters. These adapters are all different between each other and that’s why there’s around 40KSLOC of serial adapters drivers in the Linux kernel (according to David’s SLOCCount). And that’s without counting the remaining 1.5KSLOC for implementing CDC ACM which is the supposedly-standard approach to serial adapters.

Usually the adapters are placed either directly on the “gadget” that needs to be connected, which expose a USB connector, or on a cable used to connect to it, in which case the device usually has a TRS or similar connectors. The TRS-based serial cables appeared to become more and more popular thanks to osmocom as they are relatively inexpensive to build, both as cables and as connectors onto custom boards.

Serial interface endpoints in operating systems (/dev/tty{S,USB,ACM}* on Linux, COM* on Windows, and so on) do not only transfer data between host and device, but also provides configuration of parameters such as transmission rate and “symbol shape” — you may or may not have heard references to something like “9600n8” which is a common way to express the transmission protocol of a serial interface: 9600 symbols per second (“baud rate”), no parity, 8-bit per symbol. You can call these “out of band” parameters, as they are transmitted to the UART interface, but not to the device itself, and they are the crux of the matter of interacting with these USB-to-UART adapters.

I already wrote notes about USB sniffing, so I won’t go too much into detail there, but most of the time when you’re trying to figure out what the control software sends to a device, you start by taking a USB trace, which gives you a list of USB Request Blocks (effectively, transmission packets), and you get to figure out what’s going on there.

For those devices that use USB-to-UART adapters and actually use the OS-provided serial interface (that is, COM* under Windows, where most of the control software has to run), you could use specialised software to only intercept the communication on that interface… but I don’t know of any such modern software, while there are at least a few well-defined interface to intercept USB communication. And that would not work for software that access the USB adapter directly from userspace, which is always the case for Silicon Labs CP2110, but is also the case for some of the FTDI devices.

To be fair, for those devices that use TRS, I actually have considered just intercepting the serial protocol using the Saleae Logic Pro, but beside being overkill, it’s actually just a tiny fraction of the devices that can be intercepted that way — as the more modern ones just include the USB-to-UART chip straight onto the device, which is also the case for the meter using the CP2110 I referenced earlier.

Within the request blocks you’ll have not just the serial communication, but also all the related out-of-band information, which is usually terminated on the adapter/controller rather than being forwarded onto the device. The amount of information changes widely between adapters. Out of those I have had direct experience, I found one (TI3420) that requires a full firmware upload before it would start working, which means recording everything from the moment you plug in the device provides a lot more noise than you would expect. But most of those I dealt with had very simple interfaces, using Control transfers for out-of-band configuration, and Bulk or Interrupt1 transfers for transmitting the actual serial interface.

With these simpler interfaces, my “analysis” scripts (if you allow me the term, I don’t think they are that complicated) can produce a “chatter” file quite easily by ignoring the whole out of band configuration. Then I can analyse those chatter files to figure out the device’s actual protocol, and for the most part it’s a matter of trying between one and five combinations of transmission protocol to figure out the right one to speak to the device — in glucometerutils I have two drivers using 9600n8 and two drivers using 38400n8. In some cases, such as the TI3420 one, I actually had to figure out the configuration packet (thanks to the Linux kernel driver and the datasheet) to figure out that it was using 19200n8 instead.

But again, for those, the “decoding” is just a matter to filtering away part of the transmission to keep the useful parts. For others it’s not as easy.

0029 <<<< 00000000: 30 12                                             0.

0031 <<<< 00000000: 05 00                                             ..

0033 <<<< 00000000: 2A 03                                             *.

0035 <<<< 00000000: 42 00                                             B.

0037 <<<< 00000000: 61 00                                             a.

0039 <<<< 00000000: 79 00                                             y.

0041 <<<< 00000000: 65 00                                             e.

0043 <<<< 00000000: 72 00                                             r.

This is an excerpt from the chatter file of a session with my Contour glucometer. What happens here is that instead of buffering the transmission and sending a single request block with a whole string, the adapter (FTDI FT232RL) sends short burts, probably to reduce latency and keep a more accurate serial protocol (which is important for device that need accurate timing, for instance some in-chip programming interfaces). This would be also easy to recompose, except it also comes with

0927 <<<< 00000000: 01 60                                             .`

0929 <<<< 00000000: 01 60                                             .`

0931 <<<< 00000000: 01 60                                             .`

which I’m somehow sceptical they come from the device itself. I have not paid enough attention yet to figure out from the kernel driver whether this data is marked as coming from the device or is some kind of keepalive or synchronisation primitive of the adapter.

In the case of the CP2110, the first session I captured starts with:

0003 <<<< 00000000: 46 0A 02                                          F..

0004 >>>> 00000000: 41 01                                             A.

0006 >>>> 00000000: 50 00 00 4B 00 00 00 03  00                       P..K.....

0008 >>>> 00000000: 01 51                                             .Q

0010 >>>> 00000000: 01 22                                             ."

0012 >>>> 00000000: 01 00                                             ..

0014 >>>> 00000000: 01 00                                             ..

0016 >>>> 00000000: 01 00                                             ..

0018 >>>> 00000000: 01 00                                             ..

and I can definitely tell you that the first three URBs are not sent to the device at all. That’s because HID (the higher-level protocol that CP2110 uses on top of USB) uses the first byte of the block to identify the “report” it sends or receives. Checking these against AN434 give me a hint of what’s going on:

  • report 0x46 is “Get Version Information” — CP2110 always returns 0x0A as first byte, followed by a device version, which is unspecified; probably only used to confirm that the device is right, and possibly debugging purposes;
  • report 0x41 is “Get/Set UART Enabled” — 0x01 just means “turn on the UART”;
  • report 0x50 is “Get/Set UART Config” — and this is a bit more complex to parse: the first four bytes (0x00004b00) define the baud rate, which is 19200 symbols per second; then follows one byte for parity (0x00, no parity), one for flow control (0x00, no flow control), one for the number of data bits (0x03, 8-bit per symbol), and finally one for the stop bit (0x00, short stop bit); that’s a long way to say that this is configured as 19200n8.
  • report 0x01 is the actual data transfer, which means the transmission to the device starts with 0x51 0x22 0x00 0x00 0x00 0x00.

This means that I need a smarter analysis script that understands this protocol (which may be as simple as just ignoring anything that does not use report 0x01) to figure out what the control software is sending.

And at the same time, it needs code to know how “talk serial” to this device. Usually the out-of-bad configuration is done by a kernel driver: you ioctl() the serial device to the transmission protocol you need, the driver sends the right request block to the USB endpoint. But in the case of the CP2110 device, there’s no kernel driver implementing this, at least per Silicon Labs design: since HID devices are usually exposed to userland, and in particular to non-privileged applications, sending and receiving the reports can be done directly from the apps. So indeed there is no COM* device exposed on Windows, even with the drivers installed.

Could someone (me?) write a Linux kernel driver that expose CP2110 as a serial, rather than HID, device? Sure. It would require fiddling around with the HID subsystem a bit to have it ignore the original device, and that means it’ll probably break any application built with Silicon Labs’ own development kit, unless someone has a suggestion on how to have both interfaces available at the same time, while it would allow accessing those devices without special userland code. But I think I’ll stick with the idea of providing a Free and Open Source implementation of the protocol, for Python. And maybe add support for it to pyserial to make it easier for me to use it.

  1. All these terms make more sense if you have at least a bit of knowledge of USB works behind the scene, but I don’t want to delve too much into that. [return]
Read the whole story
12 hours ago
Dublin, Ireland
Share this story

Yak Shaving: Silicon Labs CP2110 and Linux

1 Share

One of my favourite passtimes in the past years has been reverse engineering glucometers for the sake of writing an utility package to export data to it. Sometimes, in the quest of just getting data out of a meter I end up embarking in yak shaves that are particularly bothersome, as they are useful only for me and no one else.

One of these yak shaves might be more useful to others, but it will have to be seen. I got my hands on a new meter, which I will review later on. This meter has software for Windows to download the readings, so it’s a good target for reverse engineering. What surprised me, though, was that once I connected the device to my Linux laptop first, it came up as an HID device, described as an “USB HID to UART adapter”: the device uses a CP2110 adapter chip by Silicon Labs, and it’s the first time I saw this particular chip (or even class of chip) in my life.

Effectively, this device piggybacks the HID interface, which allows vendor-specified protocols to be implemented in user space without needing in-kernel drivers. I’m not sure if I should be impressed by the cleverness or disgusted by the workaround. In either case, it means that you end up with a stacked protocol design: the glucometer protocol itself is serial-based, implemented on top of a serial-like software interface, which converts it to the CP2110 protocol, which is encapsulated into HID packets, which are then sent over USB…

The good thing is that, as the datasheet reports, the protocol is available: “Open access to interface specification”. And indeed in the download page for the device, there’s a big archive of just-about-everything, including a number of precompiled binary libraries and a bunch of documents, among which figures AN434, which describe the full interface of the device. Source code is also available, but having spot checked it, it appears it has no license specification and as such is to be considered proprietary, and possibly virulent.

So now I’m warming up to the idea of doing a bit more of yak shaving and for once trying not to just help myself. I need to understand this protocol for two purposes: one is obviously having the ability to communicate with the meter that uses that chip; the other is being able to understand what the software is telling the device and vice-versa.

This means I need to have generators for the host side, but parsers for both. Luckily, construct should make that part relatively painless, and make it very easy to write (if not maintain, given the amount of API breakages) such a parser/generator library. And of course this has to be in Python because that’s the language my utility is written in.

The other thing that I realized as I was toying with the idea of writing this is that, done right, it can be used together with facedancer, to implement the gadget side purely in Python. Which sounds like a fun project for those of us into that kind of thing.

But since this time this is going to be something more widely useful, and not restricted to my glucometer work, I’m now looking to release this using a different process, as that would allow me to respond to issues and codereviews from my office as well as during the (relatively little) spare time I have at home. So expect this to take quite a bit longer to be released.

At the end of the day, what I hope to have is an Apache 2 licensed Python library that can parse both host-to-controller and controller-to-host packets, and also implement it well enough on the client side (based on the hidapi library, likely) so that I can just import the module and use it for a new driver. Bonus points if I can sue this to implement a test fake framework to implement the tests for the glucometer.

In all of this, I want to make sure to thank Silicon Labs for releasing the specification of the protocol. It’s not always that you can just google up the device name to find the relevant protocol documentation, and even when you do it’s hard to figure out if it’s enough to implement a driver. The fact that this is possible surprised me pleasantly. On the other hand I wish they actually released their code with a license attached, and possibly a widely-usable one such as MIT or Apache 2, to allow users to use the code directly. But I can see why that wouldn’t be particularly high in their requirements.

Let’s just hope this time around I can do something for even more people.

Read the whole story
2 days ago
Dublin, Ireland
Share this story

Another quick example of the main Libre problem: thermal compensation.

1 Share
Apologies for not keeping up with the blog, real life has been interfering...

That being said, here is another example of the main drawback of the Libre: thermal compensation is really poor.

Have a look at the chart below and try to guess what it shows...

I am wearing the patch. I am a non diabetic person (neither Type 1, nor Type 2).

12:00: small meal

13:00: exercise (stationary bike starts)

14:00: bottle of sports drink as I start feeling the lack of supplies.

15:00: exercise stops, feeling really drained. My Garmin Fenix says I'll need 67 hours of recovery. My average heart rate was 142, with several spikes to my maximum FC. So far, so good, 61 might be a bit on the lowish side, but nothing incoherent.

15: 30: I do not eat or drink anything and decide to relax in a warm bath for a while...

My BG starts to climb steadily, first spot check is at 105 mg/dL, second spot check is at 157 mg/dL, around 250% of my actual value. As soon as I get out of my bath, my BG starts to drop precipitously (the reader refuses to provide values at that point) and then resumes cruising at the pre-bath value.

What if I had had to take an insulin dosing decision during that time? What if I had an AP running?

Abbott needs to fix this in the future. Fancy apps, not so much. Decent temperature compensation, yes, definitely.

On the "plus" side, at least for Abbott, the combined effect of the sub-optimal (cough, cough) temperature compensation and the delay compensation - the actual smoothed value never reached the projected high - is so bad that I stopped being motivated in reversing it long ago...

Read the whole story
2 days ago
Dublin, Ireland
Share this story

Fantasyland: in the world of IPv6 only networks

1 Share

It seems to be the time of the year when geeks think that IPv6 is perfect, ready to be used, and the best thing after sliced bread (or canned energy drinks). Over on Twitter, someone pointed out to me that FontAwesome (which is used by the Hugo theme I’m using) is not accessible over an IPv6-only network, and as such the design of the site is broken. I’ll leave aside my comments on FontAwesome because they are not relevant to the rant at hand.

You may remember I called IPv6-only networks unrealistic two years ago, and I called IPv6 itself a geeks’ wet dream last year. You should then not be surprised to find me calling this Fantasyland an year later.

First of all, I want to make perfectly clear that I’m not advocating that IPv6 deployment should stop or slow down. I really wish it would be actually faster, for purely selfish reasons I’ll get to later. Unfortunately I had to take a setback when I moved to London, as Hyperoptic does not have IPv6 deployment, at least in my building, yet. But they provide a great service, for a reasonable price, so I have no intention to switch to something like A&A just to get a good IPv6 right now.

$ host <a href="http://hyperoptic.com" rel="nofollow">hyperoptic.com</a>
<a href="http://hyperoptic.com" rel="nofollow">hyperoptic.com</a> has address
<a href="http://hyperoptic.com" rel="nofollow">hyperoptic.com</a> has address
<a href="http://hyperoptic.com" rel="nofollow">hyperoptic.com</a> mail is handled by 0 <a href="http://hyperoptic-com.mail.eo.outlook.com" rel="nofollow">hyperoptic-com.mail.eo.outlook.com</a>.

$ host <a href="http://www.hyperoptic.com" rel="nofollow">www.hyperoptic.com</a>
<a href="http://www.hyperoptic.com" rel="nofollow">www.hyperoptic.com</a> has address
<a href="http://www.hyperoptic.com" rel="nofollow">www.hyperoptic.com</a> has address

$ host <a href="http://www.virginmedia.com" rel="nofollow">www.virginmedia.com</a>
<a href="http://www.virginmedia.com" rel="nofollow">www.virginmedia.com</a> has address

$ host <a href="http://www.bt.co.uk" rel="nofollow">www.bt.co.uk</a>
<a href="http://www.bt.co.uk" rel="nofollow">www.bt.co.uk</a> is an alias for <a href="http://www.bt.com" rel="nofollow">www.bt.com</a>.
<a href="http://www.bt.com" rel="nofollow">www.bt.com</a> has address
Host <a href="http://www.bt.com" rel="nofollow">www.bt.com</a> not found: 2(SERVFAIL)

$ host <a href="http://www.sky.com" rel="nofollow">www.sky.com</a>
<a href="http://www.sky.com" rel="nofollow">www.sky.com</a> is an alias for <a href="http://www.sky.com.edgekey.net" rel="nofollow">www.sky.com.edgekey.net</a>.
<a href="http://www.sky.com.edgekey.net" rel="nofollow">www.sky.com.edgekey.net</a> is an alias for <a href="http://e1264.g.akamaiedge.net" rel="nofollow">e1264.g.akamaiedge.net</a>.
<a href="http://e1264.g.akamaiedge.net" rel="nofollow">e1264.g.akamaiedge.net</a> has address

$ host <a href="http://www.aaisp.net.uk" rel="nofollow">www.aaisp.net.uk</a>
<a href="http://www.aaisp.net.uk" rel="nofollow">www.aaisp.net.uk</a> is an alias for <a href="http://www.aa.net.uk" rel="nofollow">www.aa.net.uk</a>.
<a href="http://www.aa.net.uk" rel="nofollow">www.aa.net.uk</a> has address
<a href="http://www.aa.net.uk" rel="nofollow">www.aa.net.uk</a> has address
<a href="http://www.aa.net.uk" rel="nofollow">www.aa.net.uk</a> has IPv6 address 2001:8b0:0:30::65
<a href="http://www.aa.net.uk" rel="nofollow">www.aa.net.uk</a> has IPv6 address 2001:8b0:0:30::68

I’ll get back to this later.

IPv6 is great for complex backend systems: each host gets their own uniquely-addressable IP, so you don’t have to bother with jumphosts, proxycommands, and so on so forth. Depending on the complexity of your backend, you can containerize single applications and then have a single address per application. It’s a gorgeous thing. But as you move towards user facing frontends, things get less interesting. You cannot get rid of IPv4 on the serving side of any service, because most of your visitors are likely reaching you over IPv4, and that’s unlikely to change for quite a while longer still.

Of course the IPv4 address exhaustion is a real problem and it’s hitting ISPs all over the world right now. Mobile providers already started deploying networks that only provide users with IPv6 addresses, and then use NAT64 to allow them to connect to the rest of the world. This is not particularly different from using an old-school IPv4 carrier-grade NAT (CGN), which a requirement of DS-Lite, but I’m told it can get better performance and cost less to maintain. It also has the advantage of reducing the number of different network stacks that need to be involved.

And in general, having to deal with CGN and NAT64 add extra work, latency, and in general bad performance to a network, which is why gamers, as an example, tend to prefer having a single-stack network, one way or the other.

$ host <a href="http://store.steampowered.com" rel="nofollow">store.steampowered.com</a>
<a href="http://store.steampowered.com" rel="nofollow">store.steampowered.com</a> has address

$ host <a href="http://www.gog.com" rel="nofollow">www.gog.com</a>
<a href="http://www.gog.com" rel="nofollow">www.gog.com</a> is an alias for <a href="http://gog.com.edgekey.net" rel="nofollow">gog.com.edgekey.net</a>.
<a href="http://gog.com.edgekey.net" rel="nofollow">gog.com.edgekey.net</a> is an alias for <a href="http://e11072.g.akamaiedge.net" rel="nofollow">e11072.g.akamaiedge.net</a>.
<a href="http://e11072.g.akamaiedge.net" rel="nofollow">e11072.g.akamaiedge.net</a> has address

$ host <a href="http://my.playstation.com" rel="nofollow">my.playstation.com</a>
<a href="http://my.playstation.com" rel="nofollow">my.playstation.com</a> is an alias for <a href="http://my.playstation.com.edgekey.net" rel="nofollow">my.playstation.com.edgekey.net</a>.
<a href="http://my.playstation.com.edgekey.net" rel="nofollow">my.playstation.com.edgekey.net</a> is an alias for <a href="http://e14413.g.akamaiedge.net" rel="nofollow">e14413.g.akamaiedge.net</a>.
<a href="http://e14413.g.akamaiedge.net" rel="nofollow">e14413.g.akamaiedge.net</a> has address

$ host <a href="http://www.xbox.com" rel="nofollow">www.xbox.com</a>
<a href="http://www.xbox.com" rel="nofollow">www.xbox.com</a> is an alias for <a href="http://www.xbox.com.akadns.net" rel="nofollow">www.xbox.com.akadns.net</a>.
<a href="http://www.xbox.com.akadns.net" rel="nofollow">www.xbox.com.akadns.net</a> is an alias for <a href="http://wildcard.xbox.com.edgekey.net" rel="nofollow">wildcard.xbox.com.edgekey.net</a>.
<a href="http://wildcard.xbox.com.edgekey.net" rel="nofollow">wildcard.xbox.com.edgekey.net</a> is an alias for <a href="http://e1822.dspb.akamaiedge.net" rel="nofollow">e1822.dspb.akamaiedge.net</a>.
<a href="http://e1822.dspb.akamaiedge.net" rel="nofollow">e1822.dspb.akamaiedge.net</a> has address
<a href="http://e1822.dspb.akamaiedge.net" rel="nofollow">e1822.dspb.akamaiedge.net</a> has IPv6 address 2a02:26f0:a1:29e::71e
<a href="http://e1822.dspb.akamaiedge.net" rel="nofollow">e1822.dspb.akamaiedge.net</a> has IPv6 address 2a02:26f0:a1:280::71e

$ host <a href="http://www.origin.com" rel="nofollow">www.origin.com</a>
<a href="http://www.origin.com" rel="nofollow">www.origin.com</a> is an alias for <a href="http://ea7.com.edgekey.net" rel="nofollow">ea7.com.edgekey.net</a>.
<a href="http://ea7.com.edgekey.net" rel="nofollow">ea7.com.edgekey.net</a> is an alias for <a href="http://e4894.e12.akamaiedge.net" rel="nofollow">e4894.e12.akamaiedge.net</a>.
<a href="http://e4894.e12.akamaiedge.net" rel="nofollow">e4894.e12.akamaiedge.net</a> has address

But multiple other options started spawning around trying to tackle the address exhaustion problem, faster than the deployment of IPv6 is happening. As I already noted above, backend systems, where the end-to-end is under control of a single entity, are perfect soil for IPv6: there’s no need to allocate real IP addresses to these, even when they have to talk over the proper Internet (with proper encryption and access control, goes without saying). So we won’t see more allocations like Xerox’s or Ford’s of whole /8 for backend systems.

$ host <a href="http://www.xerox.com" rel="nofollow">www.xerox.com</a>
<a href="http://www.xerox.com" rel="nofollow">www.xerox.com</a> is an alias for <a href="http://www.xerox.com.edgekey.net" rel="nofollow">www.xerox.com.edgekey.net</a>.
<a href="http://www.xerox.com.edgekey.net" rel="nofollow">www.xerox.com.edgekey.net</a> is an alias for <a href="http://e1142.b.akamaiedge.net" rel="nofollow">e1142.b.akamaiedge.net</a>.
<a href="http://e1142.b.akamaiedge.net" rel="nofollow">e1142.b.akamaiedge.net</a> has address

$ host <a href="http://www.ford.com" rel="nofollow">www.ford.com</a>
<a href="http://www.ford.com" rel="nofollow">www.ford.com</a> is an alias for <a href="http://www.ford.com.edgekey.net" rel="nofollow">www.ford.com.edgekey.net</a>.
<a href="http://www.ford.com.edgekey.net" rel="nofollow">www.ford.com.edgekey.net</a> is an alias for <a href="http://e4213.x.akamaiedge.net" rel="nofollow">e4213.x.akamaiedge.net</a>.
<a href="http://e4213.x.akamaiedge.net" rel="nofollow">e4213.x.akamaiedge.net</a> has address

$ host <a href="http://www.xkcd.com" rel="nofollow">www.xkcd.com</a>
<a href="http://www.xkcd.com" rel="nofollow">www.xkcd.com</a> is an alias for <a href="http://xkcd.com" rel="nofollow">xkcd.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has address
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has address
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has address
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has address
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has IPv6 address 2a04:4e42::67
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has IPv6 address 2a04:4e42:200::67
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has IPv6 address 2a04:4e42:400::67
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> has IPv6 address 2a04:4e42:600::67
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 10 <a href="http://ASPMX.L.GOOGLE.com" rel="nofollow">ASPMX.L.GOOGLE.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 20 <a href="http://ALT2.ASPMX.L.GOOGLE.com" rel="nofollow">ALT2.ASPMX.L.GOOGLE.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 30 <a href="http://ASPMX3.GOOGLEMAIL.com" rel="nofollow">ASPMX3.GOOGLEMAIL.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 30 <a href="http://ASPMX5.GOOGLEMAIL.com" rel="nofollow">ASPMX5.GOOGLEMAIL.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 30 <a href="http://ASPMX4.GOOGLEMAIL.com" rel="nofollow">ASPMX4.GOOGLEMAIL.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 30 <a href="http://ASPMX2.GOOGLEMAIL.com" rel="nofollow">ASPMX2.GOOGLEMAIL.com</a>.
<a href="http://xkcd.com" rel="nofollow">xkcd.com</a> mail is handled by 20 <a href="http://ALT1.ASPMX.L.GOOGLE.com" rel="nofollow">ALT1.ASPMX.L.GOOGLE.com</a>.

Another technique that slowed down the exhaustion is SNI. This TLS feature allows to share the same socket for applications having multiple certificates. Similarly to HTTP virtual hosts, that are now what just about everyone uses, SNI allows the same HTTP server instance to deliver secure connections for multiple websites that do not share their certificate. This may sound totally unrelated to IPv6, but before SNI became widely usable (it’s still not supported by very old Android devices, and Windows XP, but both of those are vastly considered irrelevant in 2018), if you needed to provide different certificates, you needed different sockets, and thus different IP addresses. It would not be uncommon for a company to lease a /28 and point it all at the same frontend system just to deliver per-host certificates — one of my old customers did exactly that, until XP became too old to support, after which they declared it so, and migrated all their webapps behind a single IP address with SNI.

Does this mean we should stop caring about the exhaustion? Of course not! But if you are a small(ish) company and you need to focus your efforts to modernize infrastructure, I would not expect you to focus on IPv6 deployment on the frontends. I would rather hope that you’d prioritize TLS (HTTPS) implementation instead, since I would rather not have malware (including but not limited to “coin” miners), to be executed on my computer while I read the news! And that is not simple either.

$ host <a href="http://www.bbc.co.uk" rel="nofollow">www.bbc.co.uk</a>
<a href="http://www.bbc.co.uk" rel="nofollow">www.bbc.co.uk</a> is an alias for <a href="http://www.bbc.net.uk" rel="nofollow">www.bbc.net.uk</a>.
<a href="http://www.bbc.net.uk" rel="nofollow">www.bbc.net.uk</a> has address
<a href="http://www.bbc.net.uk" rel="nofollow">www.bbc.net.uk</a> has address

$ host <a href="http://www.theguardian.com" rel="nofollow">www.theguardian.com</a>  
<a href="http://www.theguardian.com" rel="nofollow">www.theguardian.com</a> is an alias for <a href="http://guardian.map.fastly.net" rel="nofollow">guardian.map.fastly.net</a>.
<a href="http://guardian.map.fastly.net" rel="nofollow">guardian.map.fastly.net</a> has address
<a href="http://guardian.map.fastly.net" rel="nofollow">guardian.map.fastly.net</a> has address
<a href="http://guardian.map.fastly.net" rel="nofollow">guardian.map.fastly.net</a> has address
<a href="http://guardian.map.fastly.net" rel="nofollow">guardian.map.fastly.net</a> has address

$ host <a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a>
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address
<a href="http://www.independent.ie" rel="nofollow">www.independent.ie</a> has address

Okay I know these snippets are getting old and probably beating a dead horse. But what I’m trying to bring home here is that there is very little to gain in supporting IPv6 on frontends today, unless you are an enthusiast or a technology company yourself. I work for a company that believes in it and provides tools, data, and its own services over IPv6. But it’s one company. And as a full disclosure, I have no involvement in this particular field whatsoever.

In all of the examples above, which are of course not complete and not statistically meaningful, you can see that there are a few interesting exceptions. In the gaming world, XBox appears to have IPv6 frontends enabled, which is not surprising when you remember that Microsoft even developed one of the first tunnelling protocols to kickstart adoption of IPv6. And of course XKCD, being ran by a technologist and technology enthusiast couldn’t possibly ignore IPv6, but that’s not what the average user needs from their Internet connection.

Of course, your average user spends a lot of time on platforms created and maintained by technology companies, and Facebook is another big player of the IPv6 landscape, so they have been available over it for a long while — though that’s not the case of Twitter. But at the same time, they need their connection to access their bank…

$ host <a href="http://www.chase.com" rel="nofollow">www.chase.com</a>
<a href="http://www.chase.com" rel="nofollow">www.chase.com</a> is an alias for <a href="http://wwwbcchase.gslb.bankone.com" rel="nofollow">wwwbcchase.gslb.bankone.com</a>.
<a href="http://wwwbcchase.gslb.bankone.com" rel="nofollow">wwwbcchase.gslb.bankone.com</a> has address

$ host <a href="http://www.ulsterbankanytimebanking.ie" rel="nofollow">www.ulsterbankanytimebanking.ie</a>
<a href="http://www.ulsterbankanytimebanking.ie" rel="nofollow">www.ulsterbankanytimebanking.ie</a> has address

$ host <a href="http://www.barclays.co.uk" rel="nofollow">www.barclays.co.uk</a>
<a href="http://www.barclays.co.uk" rel="nofollow">www.barclays.co.uk</a> has address

$ host <a href="http://www.tescobank.com" rel="nofollow">www.tescobank.com</a>
<a href="http://www.tescobank.com" rel="nofollow">www.tescobank.com</a> has address

$ host <a href="http://www.metrobank.co.uk" rel="nofollow">www.metrobank.co.uk</a>
<a href="http://www.metrobank.co.uk" rel="nofollow">www.metrobank.co.uk</a> has address

$ host <a href="http://www.finecobank.com" rel="nofollow">www.finecobank.com</a>
<a href="http://www.finecobank.com" rel="nofollow">www.finecobank.com</a> has address

$ host <a href="http://www.unicredit.it" rel="nofollow">www.unicredit.it</a>
<a href="http://www.unicredit.it" rel="nofollow">www.unicredit.it</a> is an alias for <a href="http://www.unicredit.it-new.gtm.unicreditgroup.eu" rel="nofollow">www.unicredit.it-new.gtm.unicreditgroup.eu</a>.
<a href="http://www.unicredit.it-new.gtm.unicreditgroup.eu" rel="nofollow">www.unicredit.it-new.gtm.unicreditgroup.eu</a> has address

$ host <a href="http://www.aib.ie" rel="nofollow">www.aib.ie</a>
<a href="http://www.aib.ie" rel="nofollow">www.aib.ie</a> has address

to pay their bills…

$ host <a href="http://www.mybills.ie" rel="nofollow">www.mybills.ie</a>
<a href="http://www.mybills.ie" rel="nofollow">www.mybills.ie</a> has address

$ host <a href="http://www.airtricity.ie" rel="nofollow">www.airtricity.ie</a>
<a href="http://www.airtricity.ie" rel="nofollow">www.airtricity.ie</a> has address

$ host <a href="http://www.bordgaisenergy.ie" rel="nofollow">www.bordgaisenergy.ie</a>
<a href="http://www.bordgaisenergy.ie" rel="nofollow">www.bordgaisenergy.ie</a> has address

$ host <a href="http://www.thameswater.co.uk" rel="nofollow">www.thameswater.co.uk</a>
<a href="http://www.thameswater.co.uk" rel="nofollow">www.thameswater.co.uk</a> is an alias for <a href="http://aerotwprd.trafficmanager.net" rel="nofollow">aerotwprd.trafficmanager.net</a>.
<a href="http://aerotwprd.trafficmanager.net" rel="nofollow">aerotwprd.trafficmanager.net</a> is an alias for <a href="http://twsecondary.westeurope.cloudapp.azure.com" rel="nofollow">twsecondary.westeurope.cloudapp.azure.com</a>.
<a href="http://twsecondary.westeurope.cloudapp.azure.com" rel="nofollow">twsecondary.westeurope.cloudapp.azure.com</a> has address

$ host <a href="http://www.edfenergy.com" rel="nofollow">www.edfenergy.com</a>
<a href="http://www.edfenergy.com" rel="nofollow">www.edfenergy.com</a> has address

$ host <a href="http://www.veritasenergia.it" rel="nofollow">www.veritasenergia.it</a>
<a href="http://www.veritasenergia.it" rel="nofollow">www.veritasenergia.it</a> is an alias for veritasenergia.it.
veritasenergia.it has address
veritasenergia.it mail is handled by 10 mail.ascopiave.it.
veritasenergia.it mail is handled by 30 mail3.ascotlc.it.

$ host <a href="http://www.enel.it" rel="nofollow">www.enel.it</a>
<a href="http://www.enel.it" rel="nofollow">www.enel.it</a> is an alias for <a href="http://bdzkx.x.incapdns.net" rel="nofollow">bdzkx.x.incapdns.net</a>.
<a href="http://bdzkx.x.incapdns.net" rel="nofollow">bdzkx.x.incapdns.net</a> has address

to do shopping…

$ host <a href="http://www.paypal.com" rel="nofollow">www.paypal.com</a>
<a href="http://www.paypal.com" rel="nofollow">www.paypal.com</a> is an alias for <a href="http://geo.paypal.com.akadns.net" rel="nofollow">geo.paypal.com.akadns.net</a>.
<a href="http://geo.paypal.com.akadns.net" rel="nofollow">geo.paypal.com.akadns.net</a> is an alias for <a href="http://hotspot-www.paypal.com.akadns.net" rel="nofollow">hotspot-www.paypal.com.akadns.net</a>.
<a href="http://hotspot-www.paypal.com.akadns.net" rel="nofollow">hotspot-www.paypal.com.akadns.net</a> is an alias for <a href="http://wlb.paypal.com.akadns.net" rel="nofollow">wlb.paypal.com.akadns.net</a>.
<a href="http://wlb.paypal.com.akadns.net" rel="nofollow">wlb.paypal.com.akadns.net</a> is an alias for <a href="http://www.paypal.com.edgekey.net" rel="nofollow">www.paypal.com.edgekey.net</a>.
<a href="http://www.paypal.com.edgekey.net" rel="nofollow">www.paypal.com.edgekey.net</a> is an alias for <a href="http://e3694.a.akamaiedge.net" rel="nofollow">e3694.a.akamaiedge.net</a>.
<a href="http://e3694.a.akamaiedge.net" rel="nofollow">e3694.a.akamaiedge.net</a> has address

$ host <a href="http://www.amazon.com" rel="nofollow">www.amazon.com</a>
<a href="http://www.amazon.com" rel="nofollow">www.amazon.com</a> is an alias for <a href="http://www.cdn.amazon.com" rel="nofollow">www.cdn.amazon.com</a>.
<a href="http://www.cdn.amazon.com" rel="nofollow">www.cdn.amazon.com</a> is an alias for <a href="http://d3ag4hukkh62yn.cloudfront.net" rel="nofollow">d3ag4hukkh62yn.cloudfront.net</a>.
<a href="http://d3ag4hukkh62yn.cloudfront.net" rel="nofollow">d3ag4hukkh62yn.cloudfront.net</a> has address

$ host <a href="http://www.ebay.com" rel="nofollow">www.ebay.com</a> 
<a href="http://www.ebay.com" rel="nofollow">www.ebay.com</a> is an alias for <a href="http://slot9428.ebay.com.edgekey.net" rel="nofollow">slot9428.ebay.com.edgekey.net</a>.
<a href="http://slot9428.ebay.com.edgekey.net" rel="nofollow">slot9428.ebay.com.edgekey.net</a> is an alias for <a href="http://e9428.b.akamaiedge.net" rel="nofollow">e9428.b.akamaiedge.net</a>.
<a href="http://e9428.b.akamaiedge.net" rel="nofollow">e9428.b.akamaiedge.net</a> has address

$ host <a href="http://www.marksandspencer.com" rel="nofollow">www.marksandspencer.com</a>
<a href="http://www.marksandspencer.com" rel="nofollow">www.marksandspencer.com</a> is an alias for <a href="http://prod.mands.com.edgekey.net" rel="nofollow">prod.mands.com.edgekey.net</a>.
<a href="http://prod.mands.com.edgekey.net" rel="nofollow">prod.mands.com.edgekey.net</a> is an alias for <a href="http://e2341.x.akamaiedge.net" rel="nofollow">e2341.x.akamaiedge.net</a>.
<a href="http://e2341.x.akamaiedge.net" rel="nofollow">e2341.x.akamaiedge.net</a> has address

$ host <a href="http://www.tesco.com" rel="nofollow">www.tesco.com</a>
<a href="http://www.tesco.com" rel="nofollow">www.tesco.com</a> is an alias for <a href="http://www.tesco.com.edgekey.net" rel="nofollow">www.tesco.com.edgekey.net</a>.
<a href="http://www.tesco.com.edgekey.net" rel="nofollow">www.tesco.com.edgekey.net</a> is an alias for <a href="http://e2008.x.akamaiedge.net" rel="nofollow">e2008.x.akamaiedge.net</a>.
<a href="http://e2008.x.akamaiedge.net" rel="nofollow">e2008.x.akamaiedge.net</a> has address

to organize fun with friends…

$ host <a href="http://www.opentable.com" rel="nofollow">www.opentable.com</a>
<a href="http://www.opentable.com" rel="nofollow">www.opentable.com</a> is an alias for <a href="http://ev-www.opentable.com.edgekey.net" rel="nofollow">ev-www.opentable.com.edgekey.net</a>.
<a href="http://ev-www.opentable.com.edgekey.net" rel="nofollow">ev-www.opentable.com.edgekey.net</a> is an alias for <a href="http://e9171.x.akamaiedge.net" rel="nofollow">e9171.x.akamaiedge.net</a>.
<a href="http://e9171.x.akamaiedge.net" rel="nofollow">e9171.x.akamaiedge.net</a> has address

$ host <a href="http://www.just-eat.co.uk" rel="nofollow">www.just-eat.co.uk</a>
<a href="http://www.just-eat.co.uk" rel="nofollow">www.just-eat.co.uk</a> is an alias for <a href="http://72urm.x.incapdns.net" rel="nofollow">72urm.x.incapdns.net</a>.
<a href="http://72urm.x.incapdns.net" rel="nofollow">72urm.x.incapdns.net</a> has address

$ host <a href="http://www.airbnb.com" rel="nofollow">www.airbnb.com</a>
<a href="http://www.airbnb.com" rel="nofollow">www.airbnb.com</a> is an alias for <a href="http://cdx.muscache.com" rel="nofollow">cdx.muscache.com</a>.
<a href="http://cdx.muscache.com" rel="nofollow">cdx.muscache.com</a> is an alias for <a href="http://2-01-57ab-0001.cdx.cedexis.net" rel="nofollow">2-01-57ab-0001.cdx.cedexis.net</a>.
<a href="http://2-01-57ab-0001.cdx.cedexis.net" rel="nofollow">2-01-57ab-0001.cdx.cedexis.net</a> is an alias for <a href="http://evsan.airbnb.com.edgekey.net" rel="nofollow">evsan.airbnb.com.edgekey.net</a>.
<a href="http://evsan.airbnb.com.edgekey.net" rel="nofollow">evsan.airbnb.com.edgekey.net</a> is an alias for <a href="http://e864.b.akamaiedge.net" rel="nofollow">e864.b.akamaiedge.net</a>.
<a href="http://e864.b.akamaiedge.net" rel="nofollow">e864.b.akamaiedge.net</a> has address

$ host <a href="http://www.odeon.co.uk" rel="nofollow">www.odeon.co.uk</a>
<a href="http://www.odeon.co.uk" rel="nofollow">www.odeon.co.uk</a> has address

and so on so forth.

This means that for an average user, an IPv6-only network is not feasible at all, and I think the idea that it’s a concept to validate is dangerous.

What it does not mean, is that we should just ignore IPv6 altogether. Instead we should make sure to prioritize it accordingly. We’re in a 2018 in which IoT devices are vastly insecure, so the idea of having a publicly-addressable IP for each of the devices in your home is not just uninteresting, but actively frightening to me. And for the companies that need the adoption, I would hope that the priority right now would be proper security, instead of adding an extra layer that would create more unknowns in their stack (because, and again it’s worth noting, as I had a discussion about this too, it’s not just the network that needs to support IPv6, it’s the full application!). And if that means that non-performance-critical backends are not going to be available over IPv6 this century, so be it.

One remark that I’m sure is going to arrive from at least a part of the readers of this, is that a significant part of the examples I’m giving here appear to all be hosted on Akamai’s content delivery network which, as we can tell from XBox’s website, supports IPv6 frontends. “It’s just a button to press, and you get IPv6, it’s not difficult, they are slackers!” is the follow up I expect. For anyone who has worked in the field long enough, this would be a facepalm.

The fact that your frontend can receive IPv6 connections does not mean that your backends can cope with it. Whether it is for session validation, for fraud detection, or just market analysis, lots of systems need to be able to tell what IP address a connection was coming from. If your backend can’t cope with IPv6 addresses being used, your experience may vary between being unable to buy services and receiving useless security alerts. It’s a full stack world.

Read the whole story
22 days ago
Dublin, Ireland
Share this story

The Boys Are Not All Right

1 Share

The Boys Are Not All Right

Last week, 17 people, most of them teenagers, were shot dead at a Florida school. Marjory Stoneman Douglas High School now joins the ranks of Sandy Hook, Virginia Tech, Columbine and too many other sites of American carnage. What do these shootings have in common? Guns, yes. But also, boys.


via Pocket <a href="https://www.nytimes.com/2018/02/21/opinion/boys-violence-shootings-guns.html" rel="nofollow">https://www.nytimes.com/2018/02/21/opinion/boys-violence-shootings-guns.html</a>

February 21, 2018 at 10:02PM

Read the whole story
23 days ago
Dublin, Ireland
Share this story

UK Banking Attempt 3: Tesco Bank (and the Irish credit card)

1 Share

It feels like most of what I end up writing nowadays is my misadventures across a wide range of financial service companies. But here we go (I promise I’ll go back writing about reverse engineering Really Soon Now™).

The last post on this topic was my rant, about how Fineco lacks some basic tools to be used as sole, or primary bank account in the UK. Hopefully they will address this soon, and a sane bank will be available in this country, but for now I had to find alternatives.

Since the various Fintech companies also don’t provide the features I needed, I found myself having to find a “high street bank”. And since my experience up to this point both with Barclays and NatWest was not particularly positive, I decided to look for a different option. Since I have been a mostly-happy customer of Tesco Bank for nearly four years, I decided to give their UK service a try.

At first it appeared to have an online sign-up flow that looked sweet for this kind of problem… except at the end of it, they told me to wait for them to ask me for paperwork to send them through. Turns out the request was for proof of identity (which needs to be certified) and proof of address (which needs to be in original) — the letter and form I could swear is the same that they sent me when I applied for the Irish credit card, except the information is now correct (in Ireland, the Garda will not certify a passport copy, though it appears the UK police forces would).

Let’s ignore the fact that by mailing me at that address, Tesco Bank provided their own proof of address, and let’s focus instead on the fact that they do not accept online print outs, despite almost every service (and, as I found out now, themselves) defaulting to paperless bills and statements. I actually have had a number of bills being mailed to me, including from Hounslow Council, so I have a wide range of choices of what to provide them, but as it turns out, I like a challenge and having some fun with corner cases (particularly as I already solved the immediate need for a bank account by the time I looked into this, but that’s a story for another day).

Here is a part of the story I have not told yet. When I moved to the UK I expected to have to close every account I had still in Ireland, both because Ulster Bank Private is a bloody expensive service, and because at least in Italy I was told I was not entitled to keep credit cards open after I left the country. So as soon as I was in working order over here, I switched over all the billings to Revolut. Unfortunately I couldn’t do that for at least three services (<a href="http://Online.net" rel="nofollow">Online.net</a>, Vodafone Italy and Wind/3 Italy) — in two cases because they insist they do not accept anything but Italian cards, while somehow still accepting Tesco Ireland cards.

While trying to figure out an ad-interim solution I got to find out that Tesco Bank has no problem with me still having the “Irish” credit card, and they even allowed me to change the address (and phone number) on file to my new London one. We had some snag regarding the SEPA direct debit, but once I pointed out that they were suggesting breaching the SEPA directives, all was good and indeed the card is debited to the EUR Fineco account.

This also means i get that card’s statements to my London address. So of course I ended up sending, to Tesco Bank, as proof of address… a Tesco Bank Ireland credit card statement. As a way of saying “Do you feel silly enough, now?” to whoever had to manually verify my address and send the paperwork back to me. Turns out it worked just fine, and I got not even a passive aggressive note about it.

Now let’s put aside the registration and let’s take a look at the services provided. Because if I have to rant, I would like at least to rant with some information to others to make up their own mind.

First off, as I said, the first part of the registration is online, after which they get in touch with you to send them the proofs they need. It’s very nice that during the whole time, they “keep in touch” by SMS: they remind you to send the paperwork back, they tell you that the account was open before you receive the snail mail, and so on.

I got a lot of correspondence from Tesco Bank: in addition to the request of proofs, and the proofs being mailed back, I received a notification about the account being opened, the debit card PIN, and a “temporary access number” to sign up online. The debit card arrived separately and through a signature-required delivery. This is a first for me in the UK, as most other cards just got sent through normal mail — except for Fineco, as they used Fedex, and they let me receive it directly at the office, despite it not being the proof of address I sent them.

Once signing up for the online banking, they ask you for an 8-digits security code, a long(er) password, and a selection of verbal question/answers, that are the usual terrible security (so as usual I’ve answered them at random and noted down what I told them the answers were). They allow you to choose your username, but they suggest it to stay the email address on file.

The login for the first time from a different computer is extremely awkward: it starts with two digits of the security code, followed by a SMS second factor authentication, followed by the password (not a subset thereof, so you can use a password manager easily for this one), all through different forms. The same happens for the Mobile Banking application (which is at least linked directly from their website, and very easy to install). The mobile banking login appears to work fairly reliably (and you’ll see on the next post why I call this out explicitly).

I set up the rent standing order on this account, and it was a straightforward and painless process, which is the same as a one-time transaction, except for saying “I want to repeat this every month” checkbox. All in all, it looks to me like it’s a saner UI than Barclays, and proper enough for the needs I have. I will report back if there is anything particularly different from this that I find over time, of course.

Read the whole story
26 days ago
Dublin, Ireland
Share this story
Next Page of Stories