Ave's blog, but more random

this one will have more weird shit

This blog post contains parts I cut out from the main blog post I wrote on the topic, and as such is quite messy. Sorry!

“But why?”

Backstory and my issues with commercial VPN services

I happen to be a Turkey resident at the moment, and Turkey is a country with significant internet censorship, with even some simple websites like pastebin blocked. VPN use is widespread.

Turkish government, as a result, also goes after many VPN providers.

I used to have an account on PIA, but they got banned, and PIA not only did nothing to help Turkish users work around these bans, but also didn't even cancel our subscriptions, forcing us to get onto alternative VPN providers simply to cancel our subscriptions.

I grew overly suspicious of commercial VPN services over the years, but after hearing many good things about Mullvad (and even seeing stickers of them on 36c3 sticker exchange) I ended up getting an account with them. Everything was alright for 6 months or so, but Turkey, or at least my household ISP (Superonline) banned them around January 2021.

Mullvad, unlike PIA, didn't have my email and as such no way to contact me, and (hopefully) don't keep data on my IP geoloc, so I don't blame them for not cancelling my account or contacting me.

When I contacted them, I was told that they're aware of some Turkish users having issues connecting to Mullvad. I was recommended to use the Shadowsocks option in the app, but I ended up cancelling my subscription anyways as I wanted to go back to defaulting to self hosted options.

“So why not selfhost?”

I'm lucky enough to be a person who owns and operates a bunch of servers, and I already have Wireguard deployments on most of them (some older ones also have OpenVPN).

However, there are limitations with self hosting on non-dedicated hardware. Some stuff that come to mind include:

  • Privacy concerns as you have a static IP that is already associated with services you host (or in my case, also potentially a company I own)
  • Stealthy ports being already potentially taken by services you host on that box
  • Overall limitations caused by infra being in a limited number of countries for latency reasons.

A dedicated self-hosted VPN box solves most of these except for the static IP and the number of locations.

bigbigvpn approach solves all of these, at least to some degree.

“How'd you even get the idea for this cursed thing?”

Me and my partner were watching a recent video by styropyro when he ended up interjecting a section about some commercial VPN service.

My partner ended up asking me why anyone gets them anyways, as a VPS costs the same. We did talk about this stuff before, and I'm rather outspoken against most commercial VPN services (for reasons I specified earlier).

I told her that I agree, but then went on to talk the limited number of benefits they provide (that may be good to have depending on some usecases), such as paying once and being able to access many locations and many IPs without having to pay extra... and then I started talking about how you'd need to pay hourly fees in the region to self-host a similar service in addition to your main VPN server...

Then I realized one can just make a VPN service that just does that for all your boxes. At the end of the day:

  • There's many VPS providers offering cheap servers all around the world
  • Most VPS providers bill hourly, have little to no setup costs, and have no commitment requirements
  • One can spin up and down a VPS in mere seconds and have it VPS be configured to their pre-defined requirements (using things like cloud-init)

and I had what can only be described as a “eureka moment.

So I started working on designing it right there and then, and may have turned off the video. (Sorry styropyro!)

insert random technical questions

  • bigbigvpn currently supports Hetzner, Scaleway and DigitalOcean. More stuff are planned as I stated on the main blog, potentially even just using smth like terraform so that we can support everything.
  • Automatic kill on idle code involves a daemon running on the VPN server, checking for the last Wireguard handshake from all peers. It then kills the server after a configurable amount of time, unless someone connects, in which case it resets the timer.
  • bigbigvpn does indeed support IPv6. Currently it's NAT'd but that's one of the things I intend to improve as I add multi device support.

I've owned Yubikeys for many years now, and have used them for anything from U2F and have always wondered what was (physically) going on inside them.

I, however, was too lazy to even Google until today. The only resources I could find were teardowns by HexView of Yubikey Neo and Yubikey 5 NFC. These were quite impressive, and I was honestly surprised at just how little was in them, and how the author mentioned being able to melt the Neo in acetone. I honestly would've expected more, but I suppose that came with Yubikey 5 series.

Even though I have now moved onto using a Yubikey 4 for my PGP and U2F needs (and Solokey Tap for NFC FIDO2 needs), I still have my first ever Yubikey 4 Nano lying around. While the key in that is still needed to decrypt some of my ancient stuff, I thought that it'd be a good candidate for tearing down as I wondered what was in such a tightly packed product.

(Quick note for the curious: I was initially going to get a Yubikey 5 NFC, but their shipment costs to Turkey increased significantly since my Yk4n and Yk4 orders. They didn't have an authorized reseller in Turkey until recently, and that reseller only sells on a platform I refuse to use. So I got a Solokey Tap and use it alongside my Yk4. Both are great and do everything they promise to do.)

The Process

As the hexview article used acetone and stated that the changes in the material were made with Yubikey 5, I suspected that I could also use acetone, especially as I have a bunch of it at hand.

I have previously used acetone to delayer stuff like smartcards:

Turkish Airlines baggage tracking card in a jar of acetone

For the most part, it just involves putting in the card you want to melt, checking it every now and then to see if any unwanted layers are coming off and getting rid of them, and pulling it out when you reach your intended layer. The process depends on a bunch of factors, but I had a lot more luck when I moved from something flat (which resulted in the need to flip the card every now and then to get it to apply to the bottom side too) to something round like a jar where the acetone acted evenly.

I had no experience with any other type of stuff, so I just dumped it in and hoped for the best:

Yubikey 4 nano at the bottom of the jar

Quite shortly after I did that, I started seeing the “white powdery substance” that hexview mentioned in their Yubikey Neo teardown.

To ensure that the process is going smoothly and to also help it along the way I ended up pulling it out every now and then to wipe the “white powdery substance” or just peel it off using tweezers when applicable:

Yubikey 4 nano covered in a white gooey substance

Yubikey 4 nano partially covered in aforementioned gooey substance, but drier now as it stayed out of acetone for a while

(Quick note: I did end up unintentionally touching and smelling this substance, and it felt, acted and smelled like super glue. This does indeed mean that I had a thin layer of it on my finger, which I quickly removed and thoroughly washed.)

Also, partially through, I saw the “milky-gray acetone solution” that hexview mentioned:

The previously clear acetone solution, now fairly gray and murky

This wasn't a great sign for me as I tend to filter and reuse the acetone, and I wasn't sure if I was going to have to dump it all afterwards. (I still don't know. The hexview page mentions that it settled. I've filtered it off shortly after removing the Yubikey in hopes that it'd help but it didn't help at all. Instead of a hacky “filter”, I later tried using a proper coffee filter, which also sadly didn't help.)

I ended up doing this around 4 or 5 times until I clearly felt with my tweezers that the middle of the layer I was on was actually just the MCU. This was hard to photograph for obvious reasons:

Internals of the Yubikey 4 nano with plastic piece flattening the board to the height of the epoxy around the MCU

I went through the edges in hopes of lifting a plastic-seeming thing that seemed to be in place, and ended up lifting it off:

Pastially Lifting off the plastic piece with my finger

I scraped off some of the “white powdery substance” that was left around the Yubikey with tweezers, and was left with the insides.

The Pictures

Before:

Bottom side of the Yubikey 4 nano

Top side of the Yubikey 4 nano

After:

Bottom side of the Yubikey 4 nano

Top side of the Yubikey 4 nano

(I also have a scan of the back here, which didn't end up being that good but it's higher quality at least.)

The Aftermath

Just to see if it works or not, I put the plastic piece back on to flatten it:

Yubikey 4 nano, with the plastic piece back on, vaguely flat

...and hackily padded it with some random adhesive label I had lying around to get it to the right height to stay in a USB port:

Shiny black layers covering the back of the Yubikey 4 nano

And would you believe it, it works:

Yubico OTP code being verified, implying that USB communications, tap detection and functionality working. This also shows the same serial number from the pre-dissolve back side.

Remarks

The Yubikey 4 Nano seems to be very clearly between Neo and 5 NFC, and this makes sense as Yubikey Neo was released in 2012 (was updated in 2014 with U2F support), and Yubikey 4 series was released in 2015, while Yubikey 5 series was released in 2018.

Yubikey 4 Nano shares the same case materials as Yubikey Neo, easily dissolveable in acetone, but has the same MCU as Yubikey 5 NFC (Infineon SLE 78CLUFX5000P01). Other than that there's not a lot I can say about the internals.

Bonus: It's not shown here, but I'd like to note that the keyring hole in hexview's Yubikey Neo teardown was improved on the full size Yubikey 4 with a golden ring (also visible in their Yubikey 5 NFC teardown). I did however have my Yubikey 4 nano's keyring hole fail on me as you can see above.

aka “Ave tries to write a short blog post, dives into old ads, then adds a section about the history that's longer than the blog post topic itself, then splits the whole thing into two posts”

In late 2009 and most of early 2010s, starting from the 3G launch in Turkey (which was on 30 July 2009), Turkish carriers pushed 3G modems hard, especially Turkcell (which you may have heard of as “Lifecell” too, that's their new international brand name).

Turkcell's 3G modem was so popular that people tend to call 3G modems “VINN”s, which is what Turkcell branded their own installation of this as. While looking up resources for this, I saw many people calling the Vodafone 3G modems “vodafone VINNs”, though vodafone did themselves no favor by not having a decent name (they called it “vodem”). Avea's (nowadays called Turk Telekom Mobil) one was called “Avea Jet”, which was also rather memorable.

I'd also like to note that this isn't how this whole thing started, it existed before in some form or other, but they were even more obscure, and even more business oriented.

First they started with chunky modems, but after just a couple months moved to the USB modems (has low quality English hardsubs):

I personally don't know anyone who used the “chunky modems” as they were “chunky” and expensive (article says $189), but the USB stick ones popularized significantly.

The other operators jumped in on this, making their own variants:

You don't need to know Turkish to understand that these earlier ads are aimed at a white collar business crowd (though there are early examples of advertising towards a younger audience, such as this cursed ad).

Over the next couple years, prices went lower and lower, and adoption went up. Target demographic changed accordingly:

(Here's another Vodafone one that's rather generic, and another that's rather boring yet casual)

I don't have a good reason on why it was so popular, but one reason I can guess is the fact that ISPs in Turkey are a major pain in the back, and offer super slow speeds for large amounts of money. Currently, all major ISPs have a yearly or a biyearly contract requirement, with significant fees if you cancel the contract (one exception is TurkNet, they're working on getting their own infrastructure, but they're far from “major” still). I believe this was the same back then too.

These provided a nice way to have Internet wherever you go, not just at a fixed spot (can be a house you don't plan to live in for at least a year, can be your “vacation house”, can be a cafe, can be a park). Some of these did have contract requirements, but you at least had options that didn't require one, and even if you got into a contract, you could just take it with you when you moved. You didn't have to worry about infrastructure as long as the coverage was there.

Similarly, even though this was around the time we were starting to get decent smartphones, it was still not yet there. Things were slow, small and clunky, and to be fair, while social media and communications have definitely caught up, things still aren't the best when it comes to certain stuff like “productivity suites”.

These had really, really, REALLY bad software though, that did all sorts of hacks to work, were slow and prone to crashing (and Linux is a blessing when it comes to this, as you didn't have to deal with them):

(Image source)

(Image source)

(Also, apparently Turkcell wrote one of those horrible pieces of software for Windows 8. It states that that software only works with VINNs with Turkcell SIMs, btw.)

Around 2012, the WiFi variants of these popularized in Turkey. They allowed more users to connect (5-8), didn't involve using horrible software, and also worked on phones and tablets with wifi support. One example of these was the VINNWiFi:

(Turkcell previously offered this under the name “Multi VINN”)

I'm not too interested in these and won't talk much about them. Nowadays you can do the same task with any phone. Similarly, while I haven't messed with one so far, I imagine configuring it to work with any other carrier's SIM card wouldn't be as easy.

Over the years, popularity of this method of connecting to Internet gradually went down, with everyone I know either just getting a home connection (as you need Internet for many things these days) or using their phone to set up a hotspot. Or even just using their phone for everything (which is somewhat weird to me).

(Note: Turkey calls LTE “4.5G”. 4.5G is the same as 4G/LTE advertised anywhere else in the world.)

However, couple years back, Turkcell introduced “Superbox”es, promising fiber or even faster than fiber speeds. Considering that fiber coverage in Turkey isn't the best and that VDSL can get you around 75Mbps on a lucky day with a great connection (and more like 10Mbps if you're not so lucky), it seemed like a decent thing to introduce to the market, especially considering how Turkcell's 4.5G network is decent and I've personally seen it hit around 150Mbps or so (compare that to Vodafone where I've only seen upwards of 35Mbps or so).

However, these are pretty much where this retrospective started from: bulky GSM (well, in this case LTE) routers. Prices are sky high, there's quotas in place (as it's not a fixed internet connection), and reviews are horrible. 200GB quota at 4.5G speeds costs the same as unlimited 100Mbps fiber plan by Turkcell Superonline, and so does the unlimited 10Mbps plan. Yet people go for it anyways.

That's all for this retrospective. The point of this post was to help readers of my other post understand why they were once popular, but are not anymore, and subsequently why they're so easily available for so cheap.

Cloudflare has many employee resource groups (ERG), and they've become somewhat of an in-joke at this point. Some of them are actually good, some are, less so (vets being advertised as diverse is a bit of a joke tbh?). I wanted to keep a list of their descriptions (taken from blog posts, tweets and titles) and their logos.

Many stickers of said groups

AFAIK these are up to date as of 2020-03-08. If I'm missing any, lmk.

Afroflare

for employees of African descent

Afroflare logo

Latinflare

for Latinx employees

Latinflare logo

Vetflare

Military Veteran Employee Group

Vetflare logo

If you have a better picture, please send it to me here.

Proudflare

a LGBTQIA+ Employee Resource Group (ERG)

Proudflare logo

Womenflare

Womenflare logo

While the name is self explanatory, I don't want to include descriptions unless they're from official sources (as that's what I did for all other ERGs). If you find one that explains it (can be as simple as “Womenflare, our ERG for all women working at Cloudflare”), please send a link to me here.