I recently moved from the US layout to the UK layout for my shiny new MacBook Air M2. I’d get used to the keys, however, my work MacBook is still on the US layout. Therefore, I decided to:
Remap the section key § to tilde/back-tick (I use the tilde and back tick keys a lot)
Remap the original tilde key to the left shift, so that I don’t accidentally hit the tilde in the wrong place
Bring back the keyboard brightness keys by remapping the Siri (F5) + DND keys (F6)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TL;DR: This post isn’t merely a rant after Cloudflare’s recent outages, but rather meant to serve as an after-thought: is Cloudflare ruining the entire concept of a distributed internet? Is it on a path to violate Net Neutrality?
Let’s analyse it a little bit.
What is it?
Cloudflare’s Zero Trust Gateway routes all internet traffic from your devices such as your laptop, via Clouldflare’s internet backbone. Most likely, your personal device wouldn’t be connected to the zero trust Gateway, since it’s almost always deployed by enterprise companies.
What’s wrong with it?
The internet is de-centralised – no single authority can take it down, nor can control traffic across it. In its literal sense, “internet” means interconnected networks. This means that you’re reading this post through a bunch of networks that eventually connect to the host where this blog is hosted, in Amsterdam via Digital Ocean. The source of your connection could be anything – from a 5G capable device, a wired network connection being shared in a building, your ISP, etc. The list goes on an on.
However, Cloudflare Zero Trust Gateway routes ALL your traffic through a bunch of proxies that Cloudflare exclusively controls:
Yes, Cloudflare actually runs an active MITM attack, decrypting all your TLS data. Fuck off Cloudflare!
And now we get to the real problem: when Cloudflare deploys a buggy version of their software, to the end user, that is to you, it appears as if the entire internet is down. You can’t get work done, nor can you do anything productive with that €3000 MacBook you’ve just bought. Surprisingly, this happens more often than not, especially in recent times.
In the future, if Cloudflare Zero Trust Gateway captures any significant market share (hopefully unlikely), they can suddenly start to make decisions that violate Net Neutrality.
Net Neutrality
If you’ve never watched John Oliver’s take on Net Neutrality, watch it here. ISPs have done such things in the past, and have managed to get away with it, albeit far fewer of those severely offending ISPs exist today (if somebody finds a valuable source for or against this, please post it in the comments). Of course, the giants still continue to live on.
Final Notes
In order to preserve Net Neutrality, the openness of the internet, no single company should own a significant chunk of the internet traffic. If your company is pushing for Cloudflare Zero Trust Gateway, push your IT administrator to read this post, and help point them in the right direction.
When we moved to Cloudflare WARP at CleverTap, everything worked as expected, except for the AWS CLI:
SSL validation failed for https://ec2.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)
The problem with Cloudflare WARP is that it’s the equivalent of Charle’s Proxy – presenting its own certificate for everything. While this works for almost everything, it doesn’t work for tools that use a well known and publicly trusted CA bundle.
Moreover, AWS’ CLI v2 is built with Python, which apparently doesn’t even have access to macOS’ Keychain. So, although that Cloudflare WARP certificate is installed in Keychain, tools from JetBrains and AWS’ very own CLI will refuse to work.
The solution? Download a .crt from Cloudflare’s documentation, convert it to a .pem (using Keychain), and then add it to your CA bundle (in my case, the default one installed by Homebrew).
Preparing the certificate
Download the certificate from here. Next, open it up in Keychain:
Right click on that entry, to see the Export option:
Export it as a PEM:
Hit Save.
Installing the certificate
And now to the tricky part. The CA bundle that AWS uses for its CLI is a mystery. However, it does allow one to override that, by using an environment variable. So, we want that CLI to trust the usual set of root certificates, along with Cloudflare’s. OpenSSL installs a decent set of trusted root certificates, which we can append to:
For those of you who aren’t aware of ESP NOW, it’s a communication protocol developed by Espressif for their ESP modules.
What began as a simple “hook up my plant lights to HomeKit”, turned into a massive home grown firmware, but more about that in another post.
I’ve successfully setup a bunch of ESP 8266 modules to talk to one “hub” ESP 8266 module, which then talks to my WiFi network and exposes everything as HomeKit accessories.
While doing so, I learnt:
It’s not possible to go back to light sleep with GPIO interrupt enabled after sending a payload via ESP NOW.
ESP NOW really really likes WiFi channel 1. On the transmitter side, setting the channel via esp_now_add_peer() doesn’t seem to be a reliable way of having it transmit on the desired channel. u/cperiod on Reddit confirmed this. His/her solution was to spawn an AP temporarily to switch the channel: https://www.reddit.com/r/esp8266/comments/lj953m/poor_esp_now_range_if_no_line_of_sight/gnemjps/
Since the channel needs to be fixed, ensure that your hone WiFi network doesn’t jump. I configured my router to keep to channel 6 (the best for apartment) always.
ESP NOW payloads are usually delivered at their first attempt, but it doesn’t hurt to add an automatic retry feature in your firmware. For me, my low power motion sensors attempt up to ten times.
It’s incredibly efficient when it comes to range. Payloads were delivered across two walls in my apartment. No additional antenna was used, just the standard one on the Wemos D1 Mini. Somebody on Reddit claimed four walls in their apartment :)
That’s it! I’ll write a post about the entire setup + my home built plug and play firmware later.
Recently, at CleverTap, we’ve begun migrating some of our largest clusters to a new protocol (for starters, think ~115 instances at a time). One of the most fun things I’ve had my hands on during this migration was the AWS Systems Manager API.
When we scaled up our migrations gradually from a 10 node cluster, we were challenged with dealing with API throttling exceptions (because sure, who wouldn’t throttle their APIs?). There were two immediate solutions that hit our mind:
Review every usage of the SSM client and handle the throttling exception gracefully
Wrap the SSM client and handle the throttling exception transparently
Naturally, we settled for option 2. I am a big fan of hidden abstractions. So what did we do? We implemented the AWS interface in question, only to discover that we’d have to handle a ton of methods individually (obviously copy/paste). There had to be a better solution!
And then, Google did it’s thing. We discovered Dynamic Proxies. And viola! We were able to transparently handle and implement an auto retry strategy within just 14 lines!
Here’s what it looked like:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The code above can be easily adapted to various SDKs (in our case, it was the AWS SDK).
Now, all we had to do was pass around this proxied instance, and viola, the consumers of this API had no clue that the API implemented an auto retry mechanism!
This Christmas, I added a whole bunch of lights powered by 5V power sources. My goal was to switch them on at sunset, and switch them off on sunrise, by using a MOSFET for power control :)
While I was doing this, I wanted to send OTA updates of my Lua files to the ESP8266 via WiFi. For some unknown reason, I couldn’t use luatool.py’s TCP update method.
So, I ended up building my very own OTA update protocol (which turned out to be fun!). To begin, add ota.lua to your project, and invoke it using dofile("ota.lua") in your init.lua:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Then, to use this shiny new TCP endpoint created on your ESP8266/NodeMCU, create a wrapper shell script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This post is a work in progress (WIP). The result of this experiment is a success. I have flashed my SparkFun nRF52840 mini, and I’m able to run the bicycle combined speed & cadence sensor example.
Before we begin, a big hats off to Charles, who brought support for the SparkFun board I have to the Adafruit nRF52 bootloader. Cheers Charles! I owe you a beer :) – GitHub profile, blog
Important software versions:
nRF SDK: nRF5_SDK_15.3.0_59ac345
ARM GCC: 8.2.1
s340: s340_nrf52_6.1.1
board: SparkFun Pro nRF52840 mini
2. Copy over src/linker/s140_v6.ld to src/linker/s340_v6.ld – there are zero differences between these two files
3. Patch your main.c from the checked out source to initialise the soft device with the ANT_LICENSE_KEY
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
4. Patch the Makefile to use the s340 soft device files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
5. Place the contents of the s340 archive (sign up for the evaluation licence from thisisant.com, wait for 1 business day, and then download the s340 soft device)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
6. Flash your nRF52840 device (double reset to enter the DFU mode)
$ make BOARD=sparkfun_pro_nrf52840_mini SERIAL=/dev/tty.usbmodem14301 dfu-flash
7. Verify
When you enter DFU mode after the above command completes, the contents of INFO_UF2.TXT must look something like the contents here:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Since your board now runs the s340 soft device, update the FLASH and RAM values in your app’s linker script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
The new values are not black magic. They’re documented here: https://devzone.nordicsemi.com/nordic/short-range-guides/b/getting-started/posts/adjustment-of-ram-and-flash-memory
Resources:
RAM and FLASH addresses: https://devzone.nordicsemi.com/nordic/short-range-guides/b/getting-started/posts/adjustment-of-ram-and-flash-memory
MBR and boot loader info from Nordic: https://infocenter.nordicsemi.com/index.jsp?topic=%2Fsds_s132%2FSDS%2Fs1xx%2Fmbr_bootloader%2Fmbr_bootloader.html&cp=3_4_1_0_11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
A lot of posts describe how to do this, but are fairly outdated, and do not mention the last supported K8s version. Here’s a tried and tested way to do so via Helm. This has been tested on GKE, with the Kubernetes master version 1.9.7-gke.6:
Create the service account for Tiller – the Helm server
$ while ! kubectl get pod -n kube-system | grep tiller-deploy | grep Running &> /dev/null; do
echo "Waiting for the tiller-deploy pod to be ready..."
sleep 1
done
Lately, I noticed that IntelliJ started to pause for quite some time during it’s GC cycles, and that it was very frequent when I was editing three files (over 1.2k LOC each) split vertically.
The current version of IntelliJ runs on a bundled version of Java 1.8, who’s default garbage collector is Parallel GC. While this works for most people, it didn’t for me.
After a ton of reading up on how GC works, and the fine tuning parameters for G1, I put it to use. Here’s a copy of my idea.vmoptions file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
TL;DR: A DigitalOcean droplet, strongSwan, and a custom Configuration Profile for iOS routes all the traffic from my iPhone via my droplet. Why? Just because I can.
Note: This setup does not require you to download Apple Configurator and switch your iPhone into Supervised mode (we will create a configuration profile by hand instead, and install it on the iPhone).
Configure strongSwan by following all the instructions here
Ignore the part about configuring the firewall, we’ll do this later
You don’t need to install any certificates on your iPhone/iPad/Mac as we’re using a pre-shared key (PSK) instead of a certificate based client authentication mechanism
Allow traffic to be forwarded from your server by adding the two iptables rules here
Be sure to modify the network in the two iptables commands (it should match the one specified in your strongSwan config)
Save the two rules which you’ve just added
service iptables save
Open up UDP ports 500 and 4500 for your instance if required (AWS/DigitalOcean/etc)
Adapt the following Configuration Profile for your iOS device
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Replace the following variables with reasonable values for your setup:
MY_PROFILE_NAME - Only used for display purposes
MY_DOMAIN - Just for scoping
MY_STRONGSWAN_SERVER_IP_ADDRESS - Your server's IPv4 address
MY_ACCOUNT_NAME - See /etc/strongswan/ipsec.secrets
MY_ACCOUNT_PASSWORD - See /etc/strongswan/ipsec.secrets
MY_INITIALS - Your initials (eg: JP)
Once you’ve updated the content of the XML file above, rename the file to VPNConfig.mobileconfig. Then, either AirDrop it to your iPhone/iPad, or transfer it by some other means.
Since we’re using a PSK, as soon as you install the profile, it’ll prompt you for the PSK. This can again be found in /etc/strongswan/ipsec.secrets.
All done! :)
Cheers on your newly established, always on VPN tunnel between your iOS device and your server!
The Configuration Profile was inspired from Thomas’s blog post here.
This year, for the very first time in Mumbai, LetsTuneup is hosting an exclusive, invite only Secret Santa gathering.
I got invited!
I was one of the firsts to be invited (yes!). We’re planning to have a fun filled, gift exchanging afternoon sometime during the Christmas week. The venue is yet to be declared. If you’re looking for an invite, tweet to LetsTuneup!
More information about this event is available here.
We’re looking forward to meeting all of you out there!
Today marked a significant milestone in LetsTuneup’s life – we were interviewed live by RJ Sangeeta on Ishq 104.8 FM in Mumbai!
How it all came about
Yesterday, the morning show producer of Ishq FM messaged me, and asked if the RJ could talk to me the very next morning for a brief chat about LetsTuneup. The producer had read about LetsTuneup in an app review which was published by one of our fans a couple of weeks ago.
RJ Sangy hosts a morning show called Ishq Hangouts. We did a brief interview which lasted for about 12 minutes this morning.
For those of you who missed it earlier today, here’s the audio recording of the chat, split over four parts.
Personally, I’ve never been on air before. I loved my first experience, albeit I was extremely nervous just before it – the quick fix, I was listening to Mirrors by Niall Horan on a loop for about ten minutes just before the interview :)