From Jellikkettu, bull run/fight, 2012, Tamilnadu, India

Somehow this photo I happen to take few years ago depicts the current crytpo currency markets. I find it ironic that the bull is surging here though people say its a bear market.

The reality is that, people will gets crushed underneath even once the bull lands on the ground.


Jallikattu, aka the sport of taming the bull for a price money seemed to be our way to defeat nature, tame the beasts of uncertainty and celebrate all the good things of humanity – courage, commitment, patience valor. And yes, if one doesn’t celebrate life it does invite the wrath of Gods. We used to celebrate and had Jelikattu among many other things. Thus it happened for a thousand years. Or from the days we walked on two legs.
But, somewhere we lost the balance and what we see today is a fight for survival, the fighters don’t show valor, the bulls doesn’t feel it, they are scared. Chained and in the shadows of uncertainty, on a path nowhere both man and beast, past and the nothingness of future fights here within the double barricades.
Both men and beast looses. Nothingness wins.
inevitability. period.

From my original write up in flickr


Somehow I find lot of people interested in product ideas end up meeting me and the ideas often surprise me either with the uniqueness or lack of it. The lack of skills and the reluctance of pick it up seems to be common trait in most of the cases. But then some people understand it and try finding mentor’s and succeed. Perhaps this will be a good idea to share some of the thoughts from personal experience.

Find a niche

I think this is one of the important aspects of succeeding with a startup idea in any area. But care must be taken to make sure that the niche will grow enough to provide the return to sustain the idea (product or service whatever the idea is). The second point it should be possible to generate enough revenue to keep going.

There 2 personal experiences of finding a niche segment and then not able to scale up : though there was a rock solid team, timelines were met etc etc.

Find a niche, boot strap and run after MONEY !

In the first example, we had a photo agency where we catered to a niche – sports photography and within the segment we focused on football. This was during the time i-league was started and we even had AIFF as client.We had a super cool name :

MangoPeel

We had award winning photographers across the country, we probably managed to publish photos faster the best, we trained photographers to upload photos, process them & we paid them probably 3 times what they used get paid. All were happy. Though all were happy, we had issues with collecting payments. After an year of operations throughout which we were break even, we had to wind it up.

Why we didn’t take off ?

I think we lacked in collecting the payments. Personally, I was too shy to ask for payments. I don’t think we were ready with money! Technically, though we had found a niche and managed to bootstrap, we couldn’t generate enough revenue to keep going. Having right skills in finance is very important. This is one point often Entreprenures overlook as they get carried away by passion. For us this was the best thing, as photography was our passion

 

 

MangoPeel is started by two young photography & travel enthusiasts who came to to know about each other through their photos. They had dreams to do things differently & courage to do it. They met at a beach side restaurant to discuss their future plans and MangoPeel was born.
MangoPeel is started by two young photography & travel enthusiasts who came to to know about each other through their photos. They had dreams to do things differently & courage to do it. They met at a beach side restaurant to discuss their future plans and MangoPeel was born.

 

about-photo-2014-11-30_11-19-04

 

Find a niche, but make sure that there is enough growth in demand

This is a particularly interesting case as this was novel & the first of its kind. We launched India’s First Web TV – IndiaVibes.TV

Once again everything was uber cool, India was about to witness a massive upgradation in internet connectivity, the magical 3G was about to get launched. Our timing looked good. We had enough programs, impressions everything looked good. But one assumption failed – the high speed internet wave didn’t take off the way we expected. This was something we never expected as projections regarding internet speed & availability at low cost miserably failed to meet the expectations. Years down the down even now the 3G connectivity is poor across the country. The writing on the wall was clear. We had wind up the show in sometime.

This was unfortunate, but I think this can happen to anyone even if everything looks good. Finding a niche & then making sure that there is enough demand is very important. If there is not enough demand, we MUST pivot and move ahead.

 

Find the niche, follow the Lean startup approach & launch fast. I think this needs an elaborate post & will talk about this in another post.

 

Raising funds are easier now with the token based economy and its a good idea if you can make use of the current Eco-system to find seed money.

information!

Understanding the type of information stored in the blockchain will help us to decide how to implement Oracles means for  the cross chain communication etc.

A blockchain is a Distributed OpenLedger of Records Contracts & Transactions between multiple parties.

Records = Assets, People, In Game assets, Non Fungible Assets, a real world farm.


Contracts = A transfer of an asset (say, a farm) between 2 people can be depicted in a contract. In the real world a contract will be defined in a legal language. Various laws of the state will become applicable. In the context of a blockchain, a contract will be written in a “Smart Contract Language.” Blockchains that support contracts have their own language constructs applicable only in their respective context.


Transactions = The action of transferring an asset, or an action on a unique address or transfer of value is defined as a transaction in the context of a blockchain.

this is a mirror of the page at : http://jfcarter.net/~jimc/documents/vpn-setup-1501.html

James F. Carter <[email protected]>, 2015-01-23

I have recently reorganized my home network’s wild side naming and addressing, and the challenge now is to update the VPNs’ configurations and to get them working again. 

Network Names and Addresses 

For security by obscurity, in this document example.net is my domain name, certified by a reputable trust vendor (Startcom), whereas example.org is the internal name certified by my own self-signed X.509 root certificate. Although this root cert is installed for TLS on my personal machines, it’s a challenge to get Android to use it consistently, which is why I have the split naming scheme. Also, if I want to pass a URL to someone else, they will not have my root cert. 

There is one wild side interface which gets a dynamic IPv4 address from my ISP (Verizon FIOS). When it changes it is registered with my outsourced DNS vendor (dyn.com) under the name example.net (no 1-component hostname). It is also registered with my IPv6 tunnel broker (Hurricane Electric). The wild side IPv6 address is fixed. The internal fixed IPv4 address of the router is also registered in Dyn’s DNS under the name jacinth.example.net, and the same address is known to the internal DNS server as jacinth.example.org.

I have three VPNs: StrongSwan (IPSec), OpenVPN on port 1194/udp, and OpenVPN on 443/tcp. The latter is the last choice, but it is unfortunately very common for hotel Wi-Fi nets to block all ports except 53, 80 and 443 (TCP only). HTTPS service on example.net is provided on a nonstandard port; in fact I have a small collection of these: 

  • 1443 — OOBA, password authentication
  • 1444 — OOBA, X.509 client authentication
  • 1445 — OwnCloud and Roundcube (mail), auth by Kerberos, password, etc.
  • 1446 — OwnCloud and Roundcube (mail), X.509 client authentication
  • 1447 — Generic HTTPS

OOBA means Out of Band Authentication; it opens a firewall hole for the client, and without it no traffic gets in except for the VPNs, OOBA itself, and incoming mail. If the remote network is blocking ports, the OOBA ports definitely will be included. 

StrongSwan (IPSec) 

As with all VPN software, StrongSwan’s error messages are clear if you already know what the problem is; in other words, they are arcane if your configuration is messed up. Server’s /etc/ipsec.conf 

On the server (example.net), /etc/ipsec.conf reads like this. Remember that within a section each line must begin with whitespace including comments and otherwise blank lines.

config setup
    # Message verbosity for normal operation:
    charondebug = "dmn 0,mgr 1,ike 0,chd 1,job 1,cfg 0,knl 1,net 1,tls 1,lib 0,enc 0,tnc 0"
    # Verbosity for debugging problems:
    #OFF charondebug = "dmn 2,mgr 2,ike 2,chd 2,job 1,cfg 0,knl 1,net 1,tls 1,lib 1,enc 0,tnc 0"

conn %default
    auto = add                  # We're a responder, start when peer connects
    dpddelay = 0                # Rely on rekeying for dead peer detection
    dpdaction = clear
    
    left = %any
    leftauth = pubkey
    # See below about what this cert has to certify.  The root certificate
    # that signed it, and intermediate certs, must be in 
    # /etc/ipsec.d/cacerts/ (symbolic links OK).
    leftcert = /etc/ssl/hostcerts/host.crt
    leftsendcert = always
    leftdns = 192.168.200.193,2001:470:1f05:844::3
    
    right = %any
    rightid = %any
    rightauth = pubkey
    # Any client whose cert is signed by this CA is admitted. 
    # Use this command line to extract the Distinguished Name in your root
    # certificate in the format StrongSwan wants to see:
    # openssl x509 -in root.crt -noout -nameopt sname,sep_comma_plus_space -subject
    # The certificate, and any intermediate certs, must be in 
    # /etc/ipsec.d/cacerts/ (symbolic links OK).  
    rightca = "C=GN, L=Minas Tirith, CN=Example.Net Root Cert 2024"
    rightsendcert = ifasked
    # Assign the client's IP from these pool(s)
    rightsourceip = 192.168.200.160/29,2001:470:1f05:844::c8f0/125

conn roadwarrior
    # The peer just wants access to example.org
    leftsubnet = 192.168.200.192/26,2001:470:1f05:844::/64

conn defaultroute
    # The peer needs to send its default route down the tunnel
    leftsubnet = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1

Server’s /etc/ipsec.secrets

/etc/ipsec.secrets (readable only by root) needs a line for the host key corresponding to the leftcert. See man 5 ipsec.secrets for the format. If the key has a passphrase you can put it after the key’s filename. This means, if the black hats get onto your machine, in addition to stealing the host key they need to also steal /etc/ipsec.conf. This is a rather small increment in security and is a major hassle for other services that use this host key. The identifier should be (I’m pretty sure) the Common Name certified in leftcert (versus a SAN that the client relies on). 

jacinth.example.org : /etc/ssl/private/host.key

Server’s Host Certificate (Leftcert) 

The leftcert has to satisfy two conflicting requirements if you want to use IPSec on Android. You can designate one trusted CA cert, which Android StrongSwan is going to push to the server to induce it to trust the client cert that it also pushes. (The server doesn’t believe in this cert; it uses the cert to identify its own copy which it does trust.) But the same CA cert will be used to establish trust in the server’s host cert (leftcert) — which must certify the hostname that the client used to connect to the server. For the latter a SAN (Subject Alternate Name) is accepted.

I tried without success to use the host cert for example.net that was certified by Startcom: if the Android client had the Startcom cert it refused to send the client cert (certified by example.org, not Startcom); if it had the example.org cert it rejected the server’s host cert signed by Startcom; and if it was told to select a CA cert automatically, it sent cert requests for about 200 CA’s, and I’m not sure what it selected, but trust was not established.

I finally realized that just because Startcom has certified example.net, doesn’t mean that I can’t certify it too. I created a new host cert for jacinth.example.org (Common Name) with a SAN for example.net (and some aliases that I need). Now the Android client believes in its own client cert and in the server’s host cert.Android Configuration

You first need to load your client certificate and key into Android’s certificate storage. Your best bet is to obtain from your Certificate Authority a PKCS#12 file (extension .p12 or .pfx) containing your key, cert, intermediate CA cert(s) (if any) and root cert. It will most likely end up in /sdcard/Download or whatever alias Android is using this year. Start the Settings app, find Security, scroll almost to the bottom and find Credential Storage, and under that, Install from SD Card. In the file listbox click on Download, and you should find your downloaded PKCS#12 file. Click on it, give the password, give a friendly name for the content (which Android will not show when it’s most important), and you’re done. 

To edit the VPN profile, start StrongSwan and long-press on the line item for your connection; the headline changes and you hit Edit. Or for a new connection, just hit Add VPN Profile. On the profile page: 

  • The profile name is arbitrary, just a descriptive title (short and useful).
  • The gateway is the server host. Give a hostname (or IP address if fixed) which you can actually resolve and connect to. It must be certified by the leftcert that the server will send you. 
  • Type is IKEv2 Certificate. There are other possibilities, including a loginID and password (EAP), which I am not using. 
  • User Certificate: You would pre-load your client cert into Android’s certificate storage, and now you select it from the User collection. 
  • CA Certificate: I was able to connect using either the root certificate, or the intermediate certificate that signed both the client cert and the server’s host cert. Using the root cert is more sanitary. 
  • Hit Save when you have finished editing. 

Turning On IPSec (Android)

To turn on IPSec, short-click on the line item for your connection. It should connect promptly. In case of problems a message box will pop up with a choice to view the log file. Linux (Network Manager) Configuration

The Network Manager icon is in your toolbar. On Wi-Fi the icon is the traditional signal strength bars; for a wired connection it is a picture of two computer monitors. Left click to get the connection menu. Near the bottom is a line for VPN Connections; slide to the right and a submenu will open, whose second from last item is Configure VPN. Click on it to get a list of VPN definitions. Click on one (IPSec) and hit Edit, or hit Add. Give the root password (twice) if in paranoia mode. Fill out non-VPN tabs according to your normal policy, specifically on the General tab, I mark All users may connect to this network. On the VPN tab for IPSec: 

  • Gateway Address: Give the server’s hostname or (fixed) IP. Pick one that you can resolve and connect to. It must be certified by the host certificate that the server will send you. 
  • Gateway Certificate: This is your trusted copy of the root cert that signed the server’s host cert, in PEM format. The label is not very specific about what it wants. If there are intermediate certs, they and the root cert should be concatenated.
  • Client Authentication: Certificate/Private Key. There are alternatives that I’m not using, such as a loginID and password (EAP).
  • Client Certificate: This is your own certificate. Network Manager is not as picky as Android; it can be signed by a different CA than the Gateway Certificate.
  • Private Key: The key that goes with the client certificate. See the discussion above about unencrypted private keys. If there is a passphrase you will be asked for it. 
  • Options: I do request an inner IP address (on the server’s net), I don’t insist on UDP encapsulation (StrongSwan will turn this on if ESP isn’t going to work), and I decline compression to resist the BEAST attack. 
  • Hit Save when finished. 

Turning On IPSec (Network Manager)

To turn on IPSec, click on the Network Manager icon, slide to the right end of VPN Connections, and click on the menu item for IPSec. It just takes a few seconds to initiate the connection, if it’s going to work. A padlock is added to the Network Manager icon. If it fails, look in /var/log/debug for clues (assuming one configured /var/log/debug).

OpenVPN (Ports 1194 and 443) 

The configuration for the two OpenVPN ports is almost identical and I will describe both together. On Android the app is OpenVPN Settings by Friedrich Schäuffelhut, and the binary program that it downloads and installs is OpenVPN-2.1.1. Current in OpenSuSE 13.1 dated 2014-12-01 is OpenVPN-2.3.2.Server’s /etc/openvpn/server.conf

The server configuration file goes like this. Host-specific parameters are grouped at the end. 

# Verbosity:
verb 1
mute 10

# Preserve root-only files and options.
persist-key
persist-local-ip
persist-remote-ip
persist-tun

# Lock key and buffers in memory, keeping them out of the swap file.
mlock

# Use a dynamic tun device.  (Could also be tap, for ether bridging.)
dev tun

# Should we use DF for path MTU discovery?  Empirically verify the MTU?
mtu-disc maybe
mtu-test

# Dead peer detection by pings
keepalive 15 31
ping-timer-rem

# Don't complain if started when the network isn't up yet.
ifconfig-nowarn

# Resist denial of service attacks.
connect-freq 1 1

# Allow reconnects with a different IP address (DHCP renew does that sometimes)
float

# Allow multiple connections from the same user, e.g. from different hosts.
duplicate-cn

# https://wiki.debian.org/OpenVPN recommends to push a DNS server for Android.
push "dhcp-option DNS 192.168.200.193"

# Crypto Parameters (must match the peer, can't push them)
# HMAC algorithm (anti-tampering checksum)
auth SHA256

# Cryptographic cipher on main data channel (not used in tls-server/client mode)
cipher AES-256-CBC

# Use LZO compression (with adaptive shutoff)
comp-lzo

# Polarity of this host (tls-client or tls-server)
tls-server

# Diffie-Hellman parameter file, only on server.  
# You should generate your own; runtime: 13 sec on Intel i7-3632QM @ 2.2GHz
# openssl genpkey -genparam -algorithm DH -out dh2048.pem -pkeyopt dh_paramgen_prime_len:2048
dh /etc/openvpn/dh2048.pem

# Server-specific options:
# Protocol and port
proto udp
port 1194
# proto tcp
# port 443

# Multi-client server, uses dynamic addresses from 192.168.200.128/28,
# 16 addresses, 4 per client and the server takes 1 set.  A different
# address range is used for the port 443/tcp server.  
mode server
server 192.168.200.128 255.255.255.240
max-clients 3

# To get on, the client must present a certificate signed by a CA in 
# this file.  PEM format.  Multiple certs may be concatenated.  Include
# intermediate certs.  
ca /etc/ssl/ca/example.org.crt

# If a different root certificate signed the server's host cert, list it
# (and intermediate certs) here or append to the cert file.  
# extra-certs /etc/ssl/ca/example.net.crt

# The server's host certificate and private key (unencrypted).  Recommended
# to appeend the intermediate cert(s) and trust anchor that signed it.
cert /etc/ssl/hostcerts/host.cia
key /etc/ssl/private/host.key


Android OpenVPN Configuration File

On Android the authentic OpenVPN binary is used so the configuration file is nearly identical. It differs in these aspects:

# Accept configuration overrides from the server
pull

# Slightly different ping/keepalive parameters:
ping 60
ping-exit 180
ping-timer-rem

# Server's hostname or IPv(4 or 6).  Use a name you can resolve and connect to.
remote example.net

# Require this Common Name in the certificate which the server will send over.
# Too modern: verify-x509-name jacinth.example.net name
# This option is deprecated:
tls-remote jacinth.example.net

# Polarity of this host (tls-client or tls-server)
tls-client

# Unlike on real Linux, the certificates and key go in the OpenVPN directory
# /sdcard/openvpn , and are specified by relative paths. 
# This is the CA cert(s) that signed the server's host cert.  PEM format,
# and include the intermediate cert(s) if any.  
ca example.net.pth

# This is the CA cert(s) that signed our client cert. 
# extra-certs example.org.pth

# The client's user certificate and private key (unencrypted).
# You are allowed to concatenate the root and intermediate certs and
# to omit extra-certs.  
cert example.org.cia
key example.org.key

You also need to set some preferences. Long-press on the line item for the connection and from the menu pick Preferences. 

  • Use VPN DNS Server (turn on)
  • VPN DNS Server (click on it, and fill in the server’s IP address)
  • Enable Logging (turn on). Now there will be an item in the long-press menu for View Log File. It is rewritten on every connection, and for successful connections it’s not too verbose. 

An issue with OpenVPN is, the tunnel cannot go through itself; there has to be a route from the client to the gateway’s wild side for the tunnel packets to follow. But payload packets to the gateway’s wild side will follow the same route, not through the tunnel. If inimical forces are blocking my payload packets, they will continue to do so with OpenVPN. Or if you have sensitive information not protected by TLS (I don’t), OpenVPN will not be protecting it either. The cure for that is to connect to payload services on the internal address (jacinth.example.net), which willgo through the tunnel.Turning On OpenVPN (Android)

To turn on OpenVPN, launch the OpenVPN Settings app. The first menu item is for turning on the whole OpenVPN mechanism. Then short-click on the line item for your connection. It should connect promptly with progress notes below the connection title. In case of problems turn it off, then long-click on it and pick the choice to view the log file.Linux (Network Manager) Configuration

The Network Manager icon is in your toolbar. On Wi-Fi the icon is the traditional signal strength bars; for a wired connection it is a picture of two computer monitors. Left click to get the connection menu. Near the bottom is a line for VPN Connections; slide to the right and a submenu will open, whose second from last item is Configure VPN. Click it to get a list of VPN definitions. Click on one (OpenVPN) and hit Edit, or hit Add. Give the root password (twice) if in paranoia mode. Fill out non-VPN tabs according to your normal policy, specifically on the General tab, I mark All users may connect to this network. On the VPN tab for OpenVPN: 

  • Gateway Address: Give the server’s hostname or (fixed) IP. Pick one that you can resolve and connect to. It must be certified by the host certificate that the server will send you. 
  • Authentication Type: Certificates (TLS). Password authentication is also possible. 
  • User Certificate: This is your own certificate. Network Manager is not as picky as Android; it can be signed by a different CA than the Gateway (CA) Certificate.
  • CA Certificate: This is your trusted copy of the root cert that signed the server’s host cert, in PEM format. The label is not very specific about what it wants. If there are intermediate certs, they and the root cert should be concatenated.
  • Private Key: The key that goes with the user certificate. See the discussion above about unencrypted private keys. If there is a passphrase, fill it in the next text box. 
  • Advanced – General: Use LZO compression (must match the server’s choice).
  • Advanced – Security: the cipher and HMAC need to match the server’s configuration; they cannot be pushed from the server because the control channel (encrypted) has to be established before anything can be pushed.
  • Advanced – TLS Authentication: Subject Match = jacinth.example.net. This is the Common Name in the server’s certificate. The GUI shows an example where /CN= is prepended, but I believe I tried it and it didn’t work; I never found out why. I leave the other items turned off. 
  • Hit Save when finished. 

Turning On OpenVPN (Network Manager)

To turn on OpenVPN, click on the Network Manager icon, slide to the right end of VPN Connections, and click on the menu item for OpenVPN (normal or tls/443). It just takes a few seconds to initiate the connection, if it’s going to work. A padlock is added to the Network Manager icon. If it fails, look in /var/log/debug for clues (assuming one configured /var/log/debug).

Testing the VPNs 

These hosts were tested as clients: 

  • Selen: Samsung Galaxy S-3 (cellphone) running CyanogenMod-11-M12 based on Android-4.4.4 KitKat. It is directly using cellular data on the wild side.
  • Mica: Asus Transformer Pad Infinity (tablet) running CyanogenMod-11-M12 based on Android-4.4.4 KitKat. It communicates on the wild side via Selen’s Wi-Fi Hotspot (hostapd).
  • Xena: Sony Vaio SVS1512ACXS (laptop) running OpenSuSE 13.1 (Linux). It also communicates on the wild side via Selen’s Wi-Fi Hotspot (hostapd).

My firewall rules prevent many of these tests from working unless the payload packets go through the VPN tunnel. These tests may or may not work without the VPN: 

  • You can do traceroute to an outside host. If the first hop is/isn’t on the VPN gateway, that proves that the tunnel was/wasn’t in use.
  • DNS for [host.]example.net should work whether or not the tunnel is used. But example.org is only available through the tunnel. 
  • Connections to https://$host:1443 or 1444 (OOBA service) will work from the wild side. Look at the reported IP address to see if the tunnel was used. But connections to other ports will hang and time out. Also the gateway’s IPv6 address may be tried and will time out.
  • Firefox has a feature that if you connect to http(s)://example.net/ and it fails, including timeout, Firefox will retry on http(s)://www.example.net/ . In my case this is a CNAME to jacinth.example.net, which has the internal address so traffic will go through the tunnel and connect successfully. Nonetheless, when this behavior is noticed it should count as a failure. 

On Android, the Hurricane Electric Network Tools app was used for the DNS and ping tests, whereas on desktop Linux dig and/or host was used. Firefox was used to test URLs on both OS’s.

On Android when you use cellular data DHCP will give you the IPv4 addresses of your ISP’s DNS server(s). These will not give service to outside hosts, specifically to packets coming from your VPN gateway. Therefore you need to change the DNS server. On Android-4.2 Super Jelly Bean and earlier, you would do setprop net.dns1 8.8.8.8 (Google’s free DNS service is shown). However, starting in 4.3 or 4.4 KitKat DNS queries are directed to netd, a local caching nameserver (which some forum posters say is there to prevent ad blockers from working). There is a new API to control who netd forwards to. And Android-4.4.3 and earlier has a bug in this API, preventing DNS alteration apps from controlling netd. Fortunately, CyanogenMod-11-M8 and later (2014-06-xx) is based on Android-4.4.4 which has the bugfix. 

IPSec on Android does not obey the DNS server announced over the VPN. To get the right DNS server with IPSec I’m using the DNS Forwarder app by Evan He (free, ad supported), which has presets for many popular recursive DNS services; you can also configure your own custom server. It requires root access. For these tests I made changes in this order: 

  • With the VPN off, use the ISP’s DNS or forward to Google.
  • Turn on the VPN. It needs working DNS to resolve the gateway’s IP.
  • Change forwarding to the internal (example.org) DNS server, accessible only through the tunnel. 
  • When tests are done, change forwarding back to Google or to the ISP. 
  • Turn off the VPN.
StrongSwan 
(IPSec)
OpenVPN 
(1194/udp)
OpenVPN 
(443/tcp)
Test Selen Mica Xena Selen Mica Xena Selen Mica Xena 
How long to connect2s 15s2s 4s 5s 6s 8s 10s14s 
DNS for example.net [1]ok okok[5]okok ok[5]okok ok[5]
DNS for example.org [1]ok ok ok[5]okok ok[5]okok ok[5]
Ping to internal IPv4 adrok ok ok ok ok ok ok ok ok
Ping to internal IPv6 adrFAILFAILFAILFAILFAILFAILFAILFAILFAIL
Ping to wild side IPv4 adrok ok ok [3][3][3][3][3][3]
Ping to example.net (wild side)ok ok ok [3][3][3][3][3][3]
Ping to jacinth.example.net (internal)ok ok ok ok ok ok ok ok ok
Traceroute to arachne.math.ucla.edu [2]ok ok ok ok ok ok ok ok ok
http://jacinth.example.net/ ok[4]okok ok ok ok ok ok ok
https://jacinth.example.net:$PORT/ok[4]okok ok ok ok ok ok ok 
http://example.net/ ok[4]okok [3][3][3][3][3][3]
https://example.net:$PORT/ok[4]ok ok [3][3][3][3][3][3]
  • [1] OK means it got the SOA, A, AAAA and MX records.
  • [2] OK means the first hop was on the gateway, proving that the tunnel was being used; the packets were not going direct.
  • [3] Packets are not expected to go through the tunnel; this should not count as a failure. 
  • [4] Usually it asks for the IPv6 address first, promptly asks for IPv4, and sometimes but not always it hangs for about 30 secs. Then usually it retries DNS and is able to connect and show the page with no further delays. 
  • [5] I have a custom /etc/resolv.conf and it had to be hand-edited to use the DNS server for example.org. 

Conclusion on testing: all three VPNs are fully functional except for these deficiencies: 

  • All the VPN servers announce which DNS server should be used (the one in example.org), but none of the clients obey this option. Android’s OpenVPN client has a feature to override DNS, which works. For IPSec on Android you need to use a separate app to override DNS. 
  • On Xena a custom resolv.conf is used which does not automatically use the DHCP provided DNS server, whether correct or not. 
  • Selen’s Wi-Fi hotspot (hostapd) never passes through IPv6 traffic.
  • OpenVPN is unable to pass IPv6 traffic through the tunnel. There are hints that this may be functional in the current version, but it is not set up at present. 
  • Selen itself is unaware that it could send IPv6 traffic through the IPSec tunnel. Thus IPv6 is non-functional for three different reasons.
  • Firefox on Selen with IPSec attempts IPv6 and has about a 30 second timeout before it retries with IPv4, successfully. 

Issues to be worked on in the future: 

  • See if OpenVPN will now pass IPv6 through the tunnel. 
  • See if automatic DNS switching can be made to work on Xena. 
  • Re-test IPv6 on a network natively capable of IPv6.
  • It might be wise to use separate IPv6 addresses for the internal and wild side gateway interfaces. 

From Sun's makeup box | സൂര്യ ദേവന്റെ കണ്ണാടി.
House Boats, Aleppey, Kerala

 

Needless to say, the house boats of Kerala, to be precise in Alleppey is quite popular and attracts lots of tourists. I was curious about the the engine and other finer details, I could find in a trip and here it is:

 

The hidden engine room door in the kitchen

The hidden engine room door in the kitchen of the house boat

Engine
Engine

 

from the engine room

turning the engine - kerala house boat
turning the engine – kerala house boat

electrical wiring, plumbing and septic tank

electrical wiring, plumbing and septic tank

 

 

 

Its been sometime since I wanted to try my luck with fishing again – that means, during my lower primary school days I used tail along Kurichya friends in Wayanad and they used to let me cast the “choonda” with earth worm bait and once or twice gave me their knife with which I hit the water and nothing happened. So, Yesterday, we decided that enough is enough & we will get choonda again. Armed with earth worms, we bought that stick with hooks, went to nearby backwaters, alas in 10 minutes we got 2 fishes.

Now all inspired we went back and bough a bigger stick, oh, fishing raad. Then the class began. The guy at the shop is a champ with this stick ! Poor me. I just wanted to catch fish and now I have this graphite stick, “flow”, a rotating whatever for the “line” with 3 bearings, swivel (2 level one to be specific), clip / lock, I took the lessons well. Oh yea, got few led balls as weight too.

Oh the most important part is “Loore” – this fish like thing is to fool fishes. People claim that the fishes are foolish enough to hit sorry, “bait harder or faster”. I think I already know how to cast this thing – thanks to the “mooppan” who had the patience to teach me this.

After paying for this stick, which was a hefty sum, went to the earlier spot from where we got 2 fishes, successfully casted in the second try, casted again, again, finally realised that the fishes are not foolish enough to be “lured” into. And earth worms may work better. Or may be the fishes are foolish and they don’t know to deal with sophisticated sticks.

Never knew that this fishing thing is a hobby where people talk about the size of their “sticks”, weight it can handle, swivel, clip, lock, line, flow – these seems to be status symbols. (almost like people flaunting their cars, FX cameras, 1.2f 50mm lenses blah blah). Anyways, here I am with 2 fishing rods, one which can catch fishes with live baits, ie earth worms and another super sophisticated stick with even the fishes not understand.

If anyone in an around kochi knows where these ultra sophisticated fishes who understands, loore and other stuff, please do let me know !

For an export oriented business its always good to have EEFC accounts because two reasons. 1. Better forex rates 2. if interested, one can monitor the market & earn some extra revenue.

Lets take case I
———————-

When a client makes a payment in USD, if we have a INR account with an Indian bank, during the wire / swift process, the conversion rate is optimised to make maximum profits for the bank. Say, we will be given lowest rate of the day etc. It gets worse if the transaction is above a threshold say 3K USD as manual intervention is kicked in & we end up getting even lower rate.

If the wire is redirected to a USD EEFC account, we can convert the same against the card rate or the negotiated special rate which will be often better than the floating rate.

Here the process involved is SWIFT and not ACH.

Case II
———–

Closely monitor the forex markets & play the game to get the better rates. If we are really confident, like the sort that does butterfly analysis and stuff, we can go for a loan against the forex reserve and use it for OPEX & may end up making profit from the forex conversion, protection from inflation etc. Now this is for the biggies like infy i guess.

Now the question what is SBIePay, HDFC, Citi licenses do:

they are multi currency payment gateways approved by the RBI. Till now it was not possible for PGs like EBS, CCAvenue, payzippy etc to receive foreign currency & if we use the PGs of banks, they used to take the automated route thus ending up giving us lower rates.

Technically its very simple as all it takes is to receive forex & then deposit to the appropriate EEFC a/c.

But then there was a small catch, it needed RBI permission. And to get that we need to be the likes of CIAL who has say, 100K USD transaction per day.

We can use swift but if the amounts are less than 2000 USD (1920 USD as per a calculation I did few years ago), wire will not be cost effective as the cost for wire is something around 35-45 USD unless there is a special arrangement with the bank. In short for such transactions we end up using services like Paypal. Now they are very aggressive & we end up getting around INR 2.5 less than the market price / card rate per USD. Plus there is a service charge which also quite high. In anycase for 10K USD there will be a loss of INR 25000/- now if the USD is getting stronger against INR, say by 5 paise by the time the cash reaches our account, the loss increase further.

an example with paypal with 4K USD

Amount received will be 3823.70 after service charges.

Total amount:
-Rs.221,822.39 INR (equals -$3,823.70 USD)
Fee amount:
Rs.0.00 INR
Net amount:
-Rs.221,822.39 INR

Conversion from:
-$3,823.70 USD
Conversion to:
Rs.221,822.39 INR
Exchange rate:
1 US Dollar = 58.0125 Indian Rupees

The original amount the client paid was USD 4000. If we calculate at 1 USD = 60 INR, we were supposed to receive INR 2,40,000/- our loss is INR 18178/-

PS: today’s non-negotiated rate with SBT is 59.67 INR / USD.