Ave's blog, but more random

this one will have more weird shit

I've owned Yubikeys for many years now, and have used them for anything from U2F and have always wondered what was (physically) going on inside them.

I, however, was too lazy to even Google until today. The only resources I could find were teardowns by HexView of Yubikey Neo and Yubikey 5 NFC. These were quite impressive, and I was honestly surprised at just how little was in them, and how the author mentioned being able to melt the Neo in acetone. I honestly would've expected more, but I suppose that came with Yubikey 5 series.

Even though I have now moved onto using a Yubikey 4 for my PGP and U2F needs (and Solokey Tap for NFC FIDO2 needs), I still have my first ever Yubikey 4 Nano lying around. While the key in that is still needed to decrypt some of my ancient stuff, I thought that it'd be a good candidate for tearing down as I wondered what was in such a tightly packed product.

(Quick note for the curious: I was initially going to get a Yubikey 5 NFC, but their shipment costs to Turkey increased significantly since my Yk4n and Yk4 orders. They didn't have an authorized reseller in Turkey until recently, and that reseller only sells on a platform I refuse to use. So I got a Solokey Tap and use it alongside my Yk4. Both are great and do everything they promise to do.)

The Process

As the hexview article used acetone and stated that the changes in the material were made with Yubikey 5, I suspected that I could also use acetone, especially as I have a bunch of it at hand.

I have previously used acetone to delayer stuff like smartcards:

Turkish Airlines baggage tracking card in a jar of acetone

For the most part, it just involves putting in the card you want to melt, checking it every now and then to see if any unwanted layers are coming off and getting rid of them, and pulling it out when you reach your intended layer. The process depends on a bunch of factors, but I had a lot more luck when I moved from something flat (which resulted in the need to flip the card every now and then to get it to apply to the bottom side too) to something round like a jar where the acetone acted evenly.

I had no experience with any other type of stuff, so I just dumped it in and hoped for the best:

Yubikey 4 nano at the bottom of the jar

Quite shortly after I did that, I started seeing the “white powdery substance” that hexview mentioned in their Yubikey Neo teardown.

To ensure that the process is going smoothly and to also help it along the way I ended up pulling it out every now and then to wipe the “white powdery substance” or just peel it off using tweezers when applicable:

Yubikey 4 nano covered in a white gooey substance

Yubikey 4 nano partially covered in aforementioned gooey substance, but drier now as it stayed out of acetone for a while

(Quick note: I did end up unintentionally touching and smelling this substance, and it felt, acted and smelled like super glue. This does indeed mean that I had a thin layer of it on my finger, which I quickly removed and thoroughly washed.)

Also, partially through, I saw the “milky-gray acetone solution” that hexview mentioned:

The previously clear acetone solution, now fairly gray and murky

This wasn't a great sign for me as I tend to filter and reuse the acetone, and I wasn't sure if I was going to have to dump it all afterwards. (I still don't know. The hexview page mentions that it settled. I've filtered it off shortly after removing the Yubikey in hopes that it'd help but it didn't help at all. Instead of a hacky “filter”, I later tried using a proper coffee filter, which also sadly didn't help.)

I ended up doing this around 4 or 5 times until I clearly felt with my tweezers that the middle of the layer I was on was actually just the MCU. This was hard to photograph for obvious reasons:

Internals of the Yubikey 4 nano with plastic piece flattening the board to the height of the epoxy around the MCU

I went through the edges in hopes of lifting a plastic-seeming thing that seemed to be in place, and ended up lifting it off:

Pastially Lifting off the plastic piece with my finger

I scraped off some of the “white powdery substance” that was left around the Yubikey with tweezers, and was left with the insides.

The Pictures

Before:

Bottom side of the Yubikey 4 nano

Top side of the Yubikey 4 nano

After:

Bottom side of the Yubikey 4 nano

Top side of the Yubikey 4 nano

(I also have a scan of the back here, which didn't end up being that good but it's higher quality at least.)

The Aftermath

Just to see if it works or not, I put the plastic piece back on to flatten it:

Yubikey 4 nano, with the plastic piece back on, vaguely flat

...and hackily padded it with some random adhesive label I had lying around to get it to the right height to stay in a USB port:

Shiny black layers covering the back of the Yubikey 4 nano

And would you believe it, it works:

Yubico OTP code being verified, implying that USB communications, tap detection and functionality working. This also shows the same serial number from the pre-dissolve back side.

Remarks

The Yubikey 4 Nano seems to be very clearly between Neo and 5 NFC, and this makes sense as Yubikey Neo was released in 2012 (was updated in 2014 with U2F support), and Yubikey 4 series was released in 2015, while Yubikey 5 series was released in 2018.

Yubikey 4 Nano shares the same case materials as Yubikey Neo, easily dissolveable in acetone, but has the same MCU as Yubikey 5 NFC (Infineon SLE 78CLUFX5000P01). Other than that there's not a lot I can say about the internals.

Bonus: It's not shown here, but I'd like to note that the keyring hole in hexview's Yubikey Neo teardown was improved on the full size Yubikey 4 with a golden ring (also visible in their Yubikey 5 NFC teardown). I did however have my Yubikey 4 nano's keyring hole fail on me as you can see above.

In case you haven't seen it yet, Discord is pushing age related systems pretty heavily lately.

There's two aspects of it, the age gate for NSFW channels, and ID verification for bot developers with bots in 100+ guilds. I'll be writing something on the latter on a future date.

The history

I believe the age gate is being rolled out to everyone these days, as me and lun-4 got it today, and linuxgemini and one of my other partners got it last week. That said, I have seen friends get it as part of A/B testing in the last couple months. As far as I know, the A/B testing on this started on or around 2020-04-03.

The importance

It is important to prevent minor's access to spaces containing sexual content, not just for their healthy development, but also to reduce risk of them getting groomed.

Some discord guilds take this matter more seriously than others. Some just rely on Discord's NSFW channel warnings (and ban anyone they know is under 18):

Some rely on people specifically requesting access to these roles, and some reportedly even ask you to do an ID verification with them, which while is a rather safe way to lock out people who are lying about their ages, it also puts the user's data at risk as they're transmitting it over an unencrypted platform to someone who may in turn not treat this data properly. It also creates privacy concerns.

The Snark

One issue I have with this is how it is presented. I was sending a command on our joins channel (which is marked as NSFW as we were flooded with bots with hateful usernames in the past) and closed my discord client there last night, and when I opened it this morning, it covered my entire screen, and asked me to input my birthday. Also, there was no way to close it, I couldn't just say “ask me later” and be locked out of channel until I entered my birthday. Clicking outside of the modal or pressing Esc also does not close it.

Discord does not do the discerning between “NSFW” and “sexual” content that well. As with the #joins channel I mentioned above, it is possible to have a channel that can benefit from a warning that it may not be safe to be viewed in a work environment (example, cw racism, transphobia, slurs), but one that isn't sexual.

In addition, what is “NSFW” depends greatly on your line of work and your culture. One could argue that looking at memes is NSFW by itself, or even spending company time on Discord. Over at elixire, we've decided to use “sexual” as a tag word to describe domains that allow sexual content (We currently don't allow sexual content on any domains, but plan to allow it on certain domains on v3 if the domain owner is okay with risking their domain ending up on parental block systems.) instead of “NSFW” to clarify this.

An age gate mostly benefits sexual channels, and IMO more channel types (announcements, chat, sexual, spoiler, disturbing, etc etc) with age gate only applied on channels that are sexual would be more appropriate than applying age gates to all sorts of NSFW content.

The Implementation

IMO, Discord did not implement this properly at all.

Here's all the issues that I've seen with it:

Fixed: Date format was unclear

Image source: This reddit post.

When this feature was first launched, it only allowed date entry in a textbox, in the format of mm/dd/yyyy. The problem with this approach is that many, many countries outside of US do not use this format, and use dd/mm/yyyy instead.

A friend of mine got locked out due to this as while she was 18+, her dd-mm swapped birthday was under 18. Yes, there was a notice on date format at the bottom, but it was a bad implementation. (The date shown is the current date, so date format is also not always fully apparent.)

This was replaced with a date picker in the end, with localized month names to prevent this from happening ever again. That was how it should've been in the first place.

This is a problem that could be prevented if discord was more diverse in the first place. I feel like Discord disallowing remote workers and not sponsoring visas is a factor in this.

If you pick the wrong birthday, you're stuck with it ...-ish

Discord does not allow you to change your birthday once you give it to them once. If you accidentally give them the wrong one (like my friend did) or if someone pulls a prank on you by grabbing your phone or something, you're locked out.

According to the official help article, the only way to change your birthday is by sending discord a picture of you holding a photo ID that contains your date of birth and a piece of paper with your full discord tag. Ouch.

There's no information on the data retention on this other than a weak statement saying that it'll only be used for age verification. There's also other issues with this as I will mention in the article I'll make about the ID verification systems employed by Discord.

TL;DR, though: – Not everyone has a photo ID. – Not everyone is comfortable with taking a picture of their face. – Not everyone is comfortable with transmitting their photo ID and a picture of their face to a private company.

And all of that is valid.

Note: When I discussed my concerns with Discord requiring you to send an ID to change your birthday with a friend, they told me that it's good for preventing the issues I mentioned in the “The Importance” section. While I respect this opinion, I kindly disagree, and wanted to state my reasoning here too: Users that want to lie about their age already can in the first prompt, so IMO disallowing changing your birthday mostly hurts those that aren't trying to bypass this procedure, but those that got locked out improperly.

Age gate encourages users to lie about their age

The whole system in general encourages users to lie about their age, and there's two overt examples of this that I stumbled upon while testing this.

The year picker dropdown automatically starts at 2002 when you click on it (It shows 2001, so you may ask “Ave, why did you say 2002?”, here's my explanation: If you pick a year like 1999, when you click on it again the year that's shown at the top of the dropdown will be 1998):

Year dropdown on age picker, top year is 2001, can be scrolled up a bit, and scrolled down a lot

The code for Android seems to do something similar too, defaulting to current date -18 years.

At first, both me and lun-4 assumed that this was the minimum age and this did bother us quite a bit as we felt like it forced you to lie about your age if you were under 18 (as you cannot close the age gate modal), but when I tested it further on an alt, I found out that this is definitely not the case (oddly enough it stops at 2017, I wonder why they picked 2017 specifically, that seems to be enforced on both desktop and android):

Year dropdown on age picker, top year is 2017, can't be scrolled up, can be scrolled down a lot

So, tl;dr: The year picker starts at the latest year in which an 18 year old person could be born.

Age gate tries to warn you if you say that you're underage

If you give a birthday that is less than 18 years old, discord will warn you:

This isn't displayed for people over 18.

While this is handy to prevent cases like the friend that accidentally got locked out, it does seem to also encourage you to lie about your age. Twitter also has a similar prompt before they lock you out of your account due to your birth year. Ideally, I think it'd be more appropriate if they showed this modal to everyone, not just people under 18.

Date calculation issues

Right, this is a big one. Discord does age calculations... weirdly. In some parts it does it properly and in some it does not, and this leads to some issues.

Flat out wrong calculations

On one account, I gave a birthday that's in 3 days (I picked close ones as I wanted to see if the lock would lift automatically on the birthday, it seems like that is the case, but I'm not 100% sure):

Age picker, date June 30, 2002

But in the end, I could still access NSFW channels:

Discord modal asking if I want to view this NSFW channel

Discord seems to calculate birthdays by doing (current date – your birthday), getting the day count, dividing it by 365 and seeing if it's over 18. This means that you get access to NSFW channels 4-5 days (depends on your birthday) early due to leap days.

Note: This is only valid for the desktop client, at least on Stable 62330 (912f791). Android seems to calculate it properly.

This is obviously a simple mistake to make, but it does show issues with QA testing on Discord, especially as this seems to be a deployed feature now.

Date calculation inconsistencies

(Test below was done on 2020-06-27, one day before the given birthday)

Animated image, of age gate, date given is 2020-06-28, discord asks user to confirm that they're 17, once confirm is clicked, user is shown into the channel (which is not visible), and not the you're too young error

The underage warning does calculate your age properly according to local time, but the code that locks you out of channels is not doing the same. Ngl, this is kind of amusing.

Checks are client-side

The birthday check is done on client-side and can easily be bypassed. I can't really fight too much over this, in the end there's much easier ways for someone to “bypass” it.

The Conclusion

That's all the issues I see with this specific system.

To me, it seems like it doesn't prevent the problems (as users can still easily lie), and goes too far by not allowing someone to update their birthday without sending a picture of them holding their photo ID and a piece of paper with their discord tag. Plus, it currently has bugs that allow minors who don't even lie to access NSFW channels.

I don't know what the proper way of dealing with this problem would be, but I can say with certainty that Discord's current approach isn't it.

This is a long and complicated topic. There's alternative methods, of course, but they're either weak (such as face verification), invasive and weak (such as credit card verification), or just invasive (such as ID verification). The UK had its own share of issues when it proposed such a system. While more invasive verification methods would increase the false positives and make bypassing the system harder, it'd also cause ethical concerns and potentially alienate adult users that do want to view and share sexual content. I know that I wouldn't send my ID to Discord over this.

And that concludes this blog post. Thank you for taking your time to read this.

Post publication updates

On or around 2020-07-17, discord added a “go back” button allowing people to complete the age gate at a future date. This is good.

aka “Ave tries to write a short blog post, dives into old ads, then adds a section about the history that's longer than the blog post topic itself, then splits the whole thing into two posts”

In late 2009 and most of early 2010s, starting from the 3G launch in Turkey (which was on 30 July 2009), Turkish carriers pushed 3G modems hard, especially Turkcell (which you may have heard of as “Lifecell” too, that's their new international brand name).

Turkcell's 3G modem was so popular that people tend to call 3G modems “VINN”s, which is what Turkcell branded their own installation of this as. While looking up resources for this, I saw many people calling the Vodafone 3G modems “vodafone VINNs”, though vodafone did themselves no favor by not having a decent name (they called it “vodem”). Avea's (nowadays called Turk Telekom Mobil) one was called “Avea Jet”, which was also rather memorable.

I'd also like to note that this isn't how this whole thing started, it existed before in some form or other, but they were even more obscure, and even more business oriented.

First they started with chunky modems, but after just a couple months moved to the USB modems (has low quality English hardsubs):

I personally don't know anyone who used the “chunky modems” as they were “chunky” and expensive (article says $189), but the USB stick ones popularized significantly.

The other operators jumped in on this, making their own variants:

You don't need to know Turkish to understand that these earlier ads are aimed at a white collar business crowd (though there are early examples of advertising towards a younger audience, such as this cursed ad).

Over the next couple years, prices went lower and lower, and adoption went up. Target demographic changed accordingly:

(Here's another Vodafone one that's rather generic, and another that's rather boring yet casual)

I don't have a good reason on why it was so popular, but one reason I can guess is the fact that ISPs in Turkey are a major pain in the back, and offer super slow speeds for large amounts of money. Currently, all major ISPs have a yearly or a biyearly contract requirement, with significant fees if you cancel the contract (one exception is TurkNet, they're working on getting their own infrastructure, but they're far from “major” still). I believe this was the same back then too.

These provided a nice way to have Internet wherever you go, not just at a fixed spot (can be a house you don't plan to live in for at least a year, can be your “vacation house”, can be a cafe, can be a park). Some of these did have contract requirements, but you at least had options that didn't require one, and even if you got into a contract, you could just take it with you when you moved. You didn't have to worry about infrastructure as long as the coverage was there.

Similarly, even though this was around the time we were starting to get decent smartphones, it was still not yet there. Things were slow, small and clunky, and to be fair, while social media and communications have definitely caught up, things still aren't the best when it comes to certain stuff like “productivity suites”.

These had really, really, REALLY bad software though, that did all sorts of hacks to work, were slow and prone to crashing (and Linux is a blessing when it comes to this, as you didn't have to deal with them):

(Image source)

(Image source)

(Also, apparently Turkcell wrote one of those horrible pieces of software for Windows 8. It states that that software only works with VINNs with Turkcell SIMs, btw.)

Around 2012, the WiFi variants of these popularized in Turkey. They allowed more users to connect (5-8), didn't involve using horrible software, and also worked on phones and tablets with wifi support. One example of these was the VINNWiFi:

(Turkcell previously offered this under the name “Multi VINN”)

I'm not too interested in these and won't talk much about them. Nowadays you can do the same task with any phone. Similarly, while I haven't messed with one so far, I imagine configuring it to work with any other carrier's SIM card wouldn't be as easy.

Over the years, popularity of this method of connecting to Internet gradually went down, with everyone I know either just getting a home connection (as you need Internet for many things these days) or using their phone to set up a hotspot. Or even just using their phone for everything (which is somewhat weird to me).

(Note: Turkey calls LTE “4.5G”. 4.5G is the same as 4G/LTE advertised anywhere else in the world.)

However, couple years back, Turkcell introduced “Superbox”es, promising fiber or even faster than fiber speeds. Considering that fiber coverage in Turkey isn't the best and that VDSL can get you around 75Mbps on a lucky day with a great connection (and more like 10Mbps if you're not so lucky), it seemed like a decent thing to introduce to the market, especially considering how Turkcell's 4.5G network is decent and I've personally seen it hit around 150Mbps or so (compare that to Vodafone where I've only seen upwards of 35Mbps or so).

However, these are pretty much where this retrospective started from: bulky GSM (well, in this case LTE) routers. Prices are sky high, there's quotas in place (as it's not a fixed internet connection), and reviews are horrible. 200GB quota at 4.5G speeds costs the same as unlimited 100Mbps fiber plan by Turkcell Superonline, and so does the unlimited 10Mbps plan. Yet people go for it anyways.

That's all for this retrospective. The point of this post was to help readers of my other post understand why they were once popular, but are not anymore, and subsequently why they're so easily available for so cheap.

Cloudflare has many employee resource groups (ERG), and they've become somewhat of an in-joke at this point. Some of them are actually good, some are, less so (vets being advertised as diverse is a bit of a joke tbh?). I wanted to keep a list of their descriptions (taken from blog posts, tweets and titles) and their logos.

Many stickers of said groups

AFAIK these are up to date as of 2020-03-08. If I'm missing any, lmk.

Afroflare

for employees of African descent

Afroflare logo

Latinflare

for Latinx employees

Latinflare logo

Vetflare

Military Veteran Employee Group

Vetflare logo

If you have a better picture, please send it to me here.

Proudflare

a LGBTQIA+ Employee Resource Group (ERG)

Proudflare logo

Womenflare

Womenflare logo

While the name is self explanatory, I don't want to include descriptions unless they're from official sources (as that's what I did for all other ERGs). If you find one that explains it (can be as simple as “Womenflare, our ERG for all women working at Cloudflare”), please send a link to me here.