Encryption is Not Rocket Science


The recent Apple iPhone versus the FBI case being tried in the court of public opinion is an interesting example of the fact that encryption, and the use of encryption, can be created by any individual or any business to protect their data.    All those spy movies where computers easily crack password codes are just plain fantasy.  A well-engineered encrypted password cannot be broken. Unless, of course, the person that created the encryption is forced to put in a back door for the FBI.

The point is, if I really wanted to encrypt something from all entities, I would not rely on a commercial encryption version provided by Apple or my browser, because, as we have seen, the FBI will use whatever muscle they have to make sure that they can get in.

When you are done with the the encryption exercise  below, you can go ahead and tattoo your bank password on your face without a worry that anybody would ever figure it out.

Let’s start with a typical password that you  might use for a bank account “alfred!1”

First we’ll take the alphanumeric value of each letter such that a=01, l=12, f=06, r=18, e=05 d=04. And for the 1 we can use first letter of the alphabet so that 1=A, 2=B etc. So you could just make your password 011206180504!A, which is the numeric representation of alfred!1 (note I just left the “!” alone)

Now lets put some meaningless garbage on the front of the password. Two meaningless letters, such as CD.

Now lets add 2 to the original numbers in the password, so now we get

CD031408200706!A

Now take the day of the month you were born in and add it to the first number. 03+21 = 24, I was born June 21

So now we have CF241408200706!A

Each time you apply a step to the password encryption the more difficult cracking it becomes.  I did not take this one far enough to make it impregnable to a sophisticated hacker,  but hopefully you see the point. Just keep applying  rules to your password changing it at each step. The more steps you apply, the more mathematically safe your password encryption becomes.

The advantage of creating your own encryption scheme is that all you need to do is remember how to unwind these steps to recover your password, you do not need to remember your actual password, so any time the bank forces you to change your password go ahead and change it, and write it down on your hand, or face, or all over your refrigerator. As long as you remember your encoding method, you can keep your passwords in plain site.

Believe it or not I actually write my encrypted pin codes on my ATM cards!

Hacker Sting Operation


I was just reading an article about a cyber security company that advocates hacker containment. The basic premise of the article is that hackers are going to get into your system and you can’t block them.  At some point they give specific advice that once a hacker is beyond your firewall,  you should lead them around a bit and limit the damage.  But, to be completely honest, I did not read the article far enough to learn exactly what they were proposing as a solution.  Perhaps they are right, or perhaps they have a few screws loose? The point is, their article sparked a novel idea. Why not sting the hackers?  I suspect US counter intelligence is doing this already, but there is no reason why it can’t be done at a corporate level.

Let’s assume they are correct and you can’t block hackers from getting in.  Instead of playing defense, why not play a little offense? Give the hackers a money pack with an exploding ink bomb.

What would this ink stained cash look like in cyber space?

How about a data base of fake financial records, that you carefully protect, but leave a few security holes. Then when you see anybody accessing these accounts, you go after them and prosecute the perpetrators when they try to use the accounts. Suck them into a face-to-face meeting to pick up gold bullion and arrest them, just like with any police sting. This might not stop the hacker, but it would have the effect of making their wares useless on the open market. Think about the drug dealer who rips off his customers, eventually somebody rats them out? Or kills them?

The idea would be instead of spending billions of dollars on security, spend a billion or two on laying traps for hackers that will help expose them and their customers.  If you hide enough ink bombs in your records, it might turn the tables a bit!

Caching Your iOS Updates Made Easy


If you have talked to us about caching in recent months, you probably know that we are now lukewarm on open ended third party caching servers . The simple un-encrypted content of the Internet circa 2010 has been replaced by dynamically generated pages along with increased content encryption.  It’s not that the caching servers don’t work, it’s just that if they follow rules of good practice, the amount of data that a caching server can cache has diminished greatly over the last few years.

The good news is that Apple has realized the strain they are putting on Business and ISP networks when their updates come out. They have recently released an easy to implement low-cost caching solution specifically for Apple content.  In fact, one of our customers noted in a recent discussion group that they are using an old MAC mini to cache iOS updates for an entire College Campus.

Other notes on Caching Options

Akamai offers a cloud solution. Usually hosted at larger providers, but if you are buying bandwidth in bulk sometimes you can often piggyback on their savings and get a discount on cached traffic.

There is also a service offered by Netflix for larger providers.  However, last I checked you must be using 10 gigabits sustained Netflix traffic to qualify.

Capacity Planning for Cloud Applications


The main factors to consider when capacity planning your Internet Link for cloud applications are:

1) How much bandwidth do your cloud applications actually need?

Typical cloud applications require about 1/2 of a megabit or less. There are exceptions to this rule, but for the most part a good cloud application design does not involve large transfers of data. QuickBooks, salesforce, Gmail, and just about any cloud-based data base will be under the 1/2 megabit guideline. The chart below really brings to light the difference between your typical, interactive Cloud Application and the types of applications that will really eat up your data link.

Screen Shot 2015-12-29 at 4.18.59 PM

Bandwidth Usage for Cloud Based Applications compared to Big Hitters

2) What types of traffic will be sharing your link with the cloud?

The big hitters are typically YouTube and Netflix.  They can consume up to 4 megabits or higher per connection.  Also, system updates for Windows and iOS, as well as internal backups to cloud storage, can consume 20 megabits or more.  Another big hitter can be typical Web Portal sites, such as CNN, Yahoo, and Fox News. A few years ago these sites had a small footprint as they consisted of static images and text.  Today, many of these sites automatically fire up video feeds, which greatly increase their footprint.

3) What is the cost of your Internet Bandwidth, and do you have enough?

Obviously, if there was no limit to the size of your Internet pipe or the required infrastructure to handle it, there would be no concerns or need for capacity planning.  In order to be safe, a good rule of thumb as of 2016 is that you need about 100 megabits per 20 users. Less than that, and you will need to be willing to scale back some of those larger bandwidth-consuming applications, which brings us to point 4.

4) Are you willing to give a lower priority to recreational traffic in order to insure your critical cloud applications do not suffer?

Hopefully you work in an organization where compromise can be explained, and the easiest compromise to make is to limit non-essential video and recreational traffic.  And those iOS updates? Typically a good bandwidth control solution will detect them and slow them down, so essentially they run in the background with a smaller footprint over a longer period of time.

Do We Really Need a Home Security Network Device ?


A friend of mine sent me a note this morning, asking if our bandwidth shaping device could provide the same type of service as this new DoJo application. Their niche is basically that you cannot trust third-party devices in your home network from being hijacked. For example, the software engineers writing the code that allows you to remote control your dishwasher from your iPhone, are likely not security experts. It is a reasonable assertion that a hacker might exploit a security hole in their software.  The Dojo will detect any smart device breaches and take action, a good idea for sure.

I spent about 20 minutes reading  and thinking about their specification and what value that provides to the home user.  And then it hit me, there is a more obvious precaution to  secure your home network that you might be overlooking.

IN 2016 and going forward THERE SHOULD BE NO REASON TO STORE ANY PERSONAL DATA ON  YOUR HOME NETWORK.

  • Gmail in the cloud
  • Quick books in the cloud
  • Banking in the cloud
  • Facebook in the cloud
  • Google Docs in the cloud
  • Stock Trading in the Cloud

No, nothing is ever completely  secure, and certainly anything you put in the cloud can be hacked, but in my opinion, the level of security afforded by the cloud is far better than anything you can rig together on your home network.

Think about it…

Your bank spends hundreds of millions on staying ahead of hackers. You have secret pictures, secret questions that  challenge you about your second cousin’s favorite hobby.  They know when you coming from new or different IP address.

Gmail now tells you when there is a login from a non standard computer.

These modern cloud applications are about as secure as a consumer could hope for. For the same reason you should not keep wads of cash in a safe in your house, you should not keep any personal information on storage devices in your house. Let your dishwasher go hog wild, who cares. I catch hackers on my network all the time, they have hijacked a few servers to send spam and attack other consumers (my bad), but there is really nothing of interest laying around on any of my devices other than some geezer MP3 music, and my vacation photos on my iPad that nobody else wants to look at anyway.

But if you must secure important data in your home network yes go ahead and invest in a device like the Dojo, it can’t hurt, but before you do that change your habits and use the cloud whenever possible.

Art Reisman

CTO http://www.netequalizer.com

Speed up Your Browser, Free Yourself From Java Script


This morning I read an article by Klint Finley about his experience with disabling Java Script.  I am about 8 hours into my experiment now, and here is what I have found so far.

The results were amazing for the on-line periodicals (traditional newspapers) that I like to browse through. Even with my 20 megabit Internet connection, some of these sites are just endless piles of garbage with advertisements and videos popping up, forcing screen refreshes, and making the content unreadable.  Some of them take so long to load, I just give up and get back to work. With Java script turned off, all that changed.   I have not tested the limits on this yet, but I was able to get through a couple of these sites clicking to various articles and my delays were about 1/10 of normal, which is a significant improvement.

On the downside I found some of  the web-based applications that I depend on to be nonfunctional.  Klint mentions issues with Google Docs, but it goes farther than that. My Google Calendar did not work and neither did my WordPress or Cisco Webex. What I am doing now on my MAC laptop is keeping two browsers active.  Firefox with Java Script disabled, and Safari with it enabled.  I feel that this is a good compromise and worth the effort of switching.

Editors Note: Turning off Java Script is only going to impact things that you launch from a traditional browser. The pre- loaded applications on your devices do not use Java Script.

 

Comcast at It Again, Shaping Amazon Content


Sunday night I decided I would finally try watching the Sopranos.  Amazon offers Sopranos content for $1.99 an episode, which saves me the hassle of getting a full year HBO subscription to get episodes.  First pass on my smart internet connected TV,  I could not get the Amazon stream to run at all, and so I reverted to watching it on my laptop.  It came up on the laptop, but the video was choppy and constantly breaking up, stalling etc.   In other words it was being throttled by Comcast.  Solution?

I just fired up my IPvanish which hides the source of the video from Comcast, and presto, I was able to watch the whole episode without an issue.   If you experience content streaming problems with your National ISP try using a VPN tunnel, it has worked for me quite well.

There are other posts about this practice.

There is something rotten in the state of online streaming.

How to get access to blocked Internet Sites.

Editors Note: I completely understand why they throttle content, and have covered the economics behind this before. I just don’t like the secrecy  and deception around it, hence I will continue to publish articles when I find it.

Art Reisman
CTO, http://www.netequalizer.com

What is Your True Internet Speed? Are those Speed Tests Telling the Truth?


When the consumer Internet came of age back in 1990, there was never any grand plan to insure a consistent speed from one point to another. Somewhere along the line, as the Internet went from an academic tool to an essential consumer device, providers in their effort to “out market” one another began to focus on speed as their primary differentiator. By definition, the Internet is a “best effort” corroboration between providers to move your data. No one provider can guarantee a consistent Internet speed for everything you do.  They only have control over their own physical lines, and even then, there are variables beyond their control (which I will address shortly).

Let’s take a look at the speed of wired networks common to most consumers, Cable and DSL.

The physical line into your house is generally what your cable or DSL provider is talking about when they advertise your Internet speed. Essentially, how fast is the link between the providers NOC and your house. Generally you will have a dedicated line for this, and so your speed on this last mile link does not vary.

The good news is that most consumers are more concerned with watching movies, video, listening to music, etc. than they are about pulling research data of some obscure server in Serbia. Given this reality, the Industry has gotten very smart, and popular content is not hosted at some distant server, but is usually distributed locally to each provider. The best example of this is Netflix. Your Netflix content is most likely coming from a server hosted a few miles from your house in your providers NOC, and not from some grand Netflix central location.

Why is Netflix data hosted locally ?

The dirty industry secret is that your provider pays a fee when you go off their network for data. There are also potential capacity problems when you go off their network.  Is this a bad thing? No not really, it is just a matter of efficiency. We see similar practices in other product distribution models. You don’t drive to New York to pick up a toaster, there is usually one waiting for you at your nearest discount store. For the some of the same reasons, that you don’t go to New York to pick up a toaster, your provider tries to host your digital data locally when possible.

What does this mean for your Internet Speed?

It means that when you retrieve content that your provider hosts locally you are likely going to get your advertised speed. This also holds true for some speed test sites, if they are hosted within your providers network they are going to register a constantly higher speed.

What happens to your Internet speed when you go off your providers network? 

There are several factors that will effect your speed.

The main governing factor affecting speed is the capacity the of your providers exchange point.  This is a switching point where your provider exchanges data with other networks.  Depending on how much investment your provider put into this infrastructure this switching point can back up when there is more data being moved than it has capacity to handle. When this happens you get gridlock at the exchange point, and  your Internet speed can plummet.  Gridlock is always a real possibility because your provider just cannot anticipate all the content you are retrieving and sometimes it is not hosted locally.

What does my provider to to alleviate gridlock not their exchange point?

Some providers will actually lower your Internet speed when you are crossing an exchange point.  Or if their circuits are overloaded in general. I experienced this effect which I described in detail a few months ago when I was updating my IPAD.

After the exchange point the speed at which you get your data external to your providers network depends on the whims of every provider and back bone along the route. That obscure research paper from that server in Serbia , may have to make multiple hops to get out of Serbia and then onto some international back bone, and finally to your providers exchange point. There is no way anyone can anticipate at what rate this data will arrive.

How can I run a speed test that better reflects my speed out to the real Internet, by passing locally hosted speed test servers?

A few years ago we ran into this tool set that deliberately tries to retrieve all kinds of remote data to measure your true internet speed. You can also search out files hosted on obscure servers and try to download them.  Perhaps I’ll run a follow up article documenting some of my experiences.

Five Bars Does not Always Mean Good Data Why ?


I have a remote get-away cabin in the middle of the Kansas Prairie where I sometimes escape to work for a couple of days.   I use my Verizon 4G data service as my Internet connection as this is my best option. Even though I usually have 3 or 4 bars of solid signal, my data service comes and goes. Sometimes it is unbelievably fast, and other times I can’t raise a simple web page before timing out. What gives?
The reason for this variability is the fact that the wireless providers actually have two different networks. One for their traditional phone service, and one for the Internet.  Basically what this means is that the tower sites that you are getting your cell signal from actually have two circuits coming in. One is for the traditional cell service, which is almost always available as long as you have a strong signal (5 bars) on your phone.  And the other carries the legacy phone connection. Each one taking a different path out from the cell tower.

Limited Data Line to towers. The data service to each tower is subject to local or regional congestion depending on where and how your provider connects you to the Internet.  In rural Kansas during the broadband initiative the cellular companies had no Internet presence in the area, so they contracted with the local Internet companies to back haul Internet links to their cell towers. Some of these back haul links to the Internet have very limited data capacity, and hence they can get congested when there are multiple data users competing for this limited resource.

A second reason for slow data service is the limited amount of wireless frequency between your phone and the tower. Even though you may have 4 bars and a good phone connection, it is likely that your wireless provider limits data usage during peak times so they are not forced to drop calls. Think of it like two lanes on a highway, one is the priority lane for phone service , and then there is the data lane which can get jammed with data.

So the next time you can’t find directions to your favorite restaurant, or Siri is having a fit, just remember not all is fair on the data circuit to your tower and beyond.

NetEqualizer DDoS Firewall: Simple and Effective without the Bloat


One of the challenges when creating a security tool is validating that it works when the S$%^ hits the fan.  We have heard (via anonymous sources) that many of the high-dollar solutions out there create bloated, rotting piles of information, whose only purpose is to look impressive due to their voluminous output.  A typical $100K buys you a CYA report. A tool that covers  everything, leaving the customer to decide what to do; which is usually nothing or some misguided “make work”. These non-specific tools are about as useful as a weather forecast that predicts everything all the time. Rain, Snow, Wind, Hot, Cold, for everyday of the year. If you predict everything you can’t be wrong?

On the other hand, the reports from the field coming in for our DDoS tool are:

Yes, it works.

Yes, it is simple to use.

Yes, it takes action when appropriate.

We have confirmation that our DDoS tool, combined with our shaping algorithms, has kept some very large institutions up and running while under very heavy, sophisticated DDoS attacks.   The reasons are simple. We look at the pattern of incoming packets in a normal situation.  When the pattern reaches a watermark that is clearly beyond normal, we block those incoming circuits. If needed, we can also take a softer approach, so the attacker is not aware we are throttling them.  This is needed because in some situations outright blocking will alert the attacker you are on to them and cause the attacker to double-down.

When under DDoS attack you don’t need reports; you need immediate action. If you would like to discuss our solution in more detail feel free to contact us.

A Cure for Electronic Theft?


What if we created  a new electronic currency a-la Bitcoin with a twist.   Let’s start by taking an idea from the Federal Government, and put a water mark on our personal funds , something unique that signifies who legally possesses the currency. Cattle ranchers do this with a brand so nobody steals their cattle.  This has worked pretty well for a few hundred years right ?

With our new personal watermark, suppose somebody breaks into your bank, and wires all your money to some idiot in Russia. In today’s world the only way to find that money is to follow the trail, and that takes a huge effort from a banking forensics person, working with International governments.  The money may travel so fast it may not be possible to recover. Now, suppose the funds had an electronic tag that could not be altered by a criminal.   For example currency in your possession  has  a public private encryption key, and only you can authorize a change in possession.

I am not going to spend any more effort on the mechanics of currency ownership, suffice to say it could be done in many different ways. The problem with my proposed solution is the resistance it will meet from all sides.

  • The privacy crowd, will beat the drum and scare ignorant people  into thinking that the government will know how much money they have. The flaw with this argument is , unless you are underground and dealing in cash now, every bank transaction you have ever made is visible to the government. In essence, there is no net change here in terms of privacy. I’d also be fine with an optional cash currency for those that want to opt out, I don’t really care. For tax paying citizens with nothing to hide there is no new privacy downside to watermarking your funds.
  • The security industry will backdoor fight this tooth and nail. As I alluded to in a previous article , the security business has grown to a magnitude of scale well beyond the assets they protect. In other words the security industry is extorting more funds than the actual threat they are protecting you against.
  • Mexico, a country that does 80 billion plus in the drug trade, has no interest in traceable funds. Someplace, some-where, they  will lobby against this change, under the guise of some legitimate reason.
  • Politicians and their donors. Despite the rhetoric, there is absolutely no incentive to make this process transparent.

IT Security Business Is Your Frenemy


Is there a security company out there working in conjunction with a hacker, possibly creating the demand for their services? The old Insurance protection shakedown turned high tech? And, if so, how would you know?  I try to make it clear to our customers  that we are not in the security business for this very reason, but for most IT equipment and consulting companies security is becoming their main business driver.

If the world’s largest automaker will commit fraud to gain an advantage, there must be a few security companies out there that might rationalize breaking into a companies network, while at the same time offering them security equipment in order to make a sale.  Perhaps they are not meeting their sales goals, or facing bankruptcy, or just trying to grow. The fact is, IT investment in security is big business.   The train is rolling down the tracks, and just like our war on drugs, increased spending and manpower seems to have no measurable results.  Who makes more money, companies that make bank vaults, or the criminals that attempt to rob banks? I bet, if you add up all the revenue gleaned from stolen credit cards or other electronic assets, that it is pennies on the dollar when compared to spending on IT security.

Yikes I Have Been Hacked


I had just opened up my network to outside requests ,thinking this will only take a few minutes.  The idea was to  attack my home network from the outside, blasting it  with endless loops of rapid queries from external servers in cyber space, thus simulating a DDOS attack  .    It turns out I was not alone in attacking my Network .

When I went to my monitor DDOS monitor screen to see my attack, I saw  the chart below.   All those Source Ports showing  22 are the result of a server on my network , randomly attempting to login to computers outside my network .  How ironic , while testing my own DDOS software from an outside attack , I find out that one of my servers has been hijacked to do the dirty work for some other hacker.  I am only showing about 46 attempts  in the table below, but all in all ,there were about 450 of them.  They  appeared all of a sudden out of nowhere.  And then, Comcast shut me down, when I hit their security circuit breaker.  Or so I surmised, because this is not the first time this has happened to me, and I usually get  a call from Comcast telling me to run my virus software.  You know how you are not supposed to talk to strangers ? Well I had been getting these calls out of the blue from somebody claiming to be “Comcast” security , and the sounds in the background during the scratchy call were like one of those Indian boiler plate call centers … so I had been ignoring them, just humoring these people.  But perhaps they really were Comcast ? Or perhaps this was just the coup do grace from the hacker pretending to be Comcast after orchestrating the attack, in order to gain my trust and get my bank account ?  Like a bad Mission Impossible plot I don’t know who to trust anymore.
Index     SRCP    DSTP    Wavg    Avg       IP1           IP2           Ptcl  Port  Pool  TOS
0     46762      22   203   336    191.7.193.69   192.168.1.130  TCP   1   2    1
1     54211      22    29    90    85.25.211.119   192.168.1.130  TCP   1   2    1
2     52734      22    15     0    174.159.244.177   192.168.1.130  TCP   1   2    1
3        22   33388    42     0    192.168.1.130   93.97.181.70  TCP   2   2    1
4        22   49398   238   277    192.168.1.130   125.137.155.50  TCP   2   2    1
5     49184      22    66   152    192.81.170.254   192.168.1.130  TCP   1   2    1
6        22   49184   163   374    192.168.1.130   192.81.170.254  TCP   2   2    1
7     51722      22   142   214    217.92.189.104   192.168.1.130  TCP   1   2    1
8     38133      22    11     0    146.155.249.71   192.168.1.130  TCP   1   2    1
9     55232      22    93   400    178.49.172.175   192.168.1.130  TCP   1   2    1
10     50373      22    20    40    190.81.51.11   192.168.1.130  TCP   1   2    1
11        22   40073    21    35    192.168.1.130   31.45.215.117  TCP   2   2    1
12        22   39950    11    40    192.168.1.130   101.251.207.162  TCP   2   2    1
13        22   51889     9     0    192.168.1.130   169.236.135.241  TCP   2   2    1
14        22   53866   204  1036    192.168.1.130   95.211.215.206  TCP   2   2    1
15     57596      22    93   236    207.244.67.170   192.168.1.130  TCP   1   2    1
16        22   51971   188   384    192.168.1.130   66.242.228.2  TCP   2   2    1
17        22   53617   328   580    192.168.1.130   37.228.133.94  TCP   2   2    1
18     52574      22   206   338    177.21.237.77   192.168.1.130  TCP   1   2    1
19        22   56081    23    93    192.168.1.130   216.104.36.94  TCP   2   2    1
20        22   41126   213   771    192.168.1.130   176.31.199.232  TCP   2   2    1
21        22   33853   209   384    192.168.1.130   71.11.128.190  TCP   2   2    1
22        22   52185   282  2369    192.168.1.130   74.220.208.72  TCP   2   2    1
23        22   54224   224  1032    192.168.1.130   46.32.230.170  TCP   2   2    1
24        22   52065   710   806    192.168.1.130   49.212.12.217  TCP   2   2    1
25     43568      22    28    88    52.2.123.169   192.168.1.130  TCP   1   2    1
26        22   39032   200   558    192.168.1.130   199.34.242.73  TCP   2   2    1
27     53968      22   148   265    37.228.133.94   192.168.1.130  TCP   1   2    1
28     39950      22    17    60    101.251.207.162   192.168.1.130  TCP   1   2    1
29        22   44785   320   464    192.168.1.130   87.230.40.94  TCP   2   2    1
30     41889      22    13     0    70.4.134.198   192.168.1.130  TCP   1   2    1
31        22   35743   233   368    192.168.1.130   141.105.174.210  TCP   2   2    1
32        22   48689   298   373    192.168.1.130   12.11.100.194  TCP   2   2    1
33     36165      22   226   293    200.170.215.154   192.168.1.130  TCP   1   2    1
34     44991      22    53   146    191.5.224.79   192.168.1.130  TCP   1   2    1
35     38500      22   180   345    192.227.164.167   192.168.1.130  TCP   1   2    1
36     50944      22     8     0    199.174.12.17   192.168.1.130  TCP   1   2    1
37     39511      22   168   319    104.128.117.32   192.168.1.130  TCP   1   2    1
38     53820      22    16    30    95.84.153.61   192.168.1.130  TCP   1   2    1
39     47030      22   225   261    190.161.86.105   192.168.1.130  TCP   1   2    1
40        22   38500   367   735    192.168.1.130   192.227.164.167  TCP   2   2    1
41     33165      22   119   248    138.94.144.250   192.168.1.130  TCP   1   2    1
42     51185      22    18    60    46.105.163.187   192.168.1.130  TCP   1   2    1
43     48472      22    18    60    72.249.105.159   192.168.1.130  TCP   1   2    1
44     32890      22    89   174    95.177.200.94   192.168.1.130  TCP   1   2    1
45     57725      22    75   180    88.11.129.198   192.168.1.130  TCP   1   2    1
46        22   55358  1072  1373    192.168.1.130   138.91.57.190  TCP   2   2    1

Dear Comcast, Please Stop Slowing my iOS Update


Last week I was forced to re-load my iPad from scratch. So I fired it up and went through the routine that wipes it clean and re-loads the entire OS from the Apple cloud.  As I watched the progress moniker it slowly climbed from 1 hour, then 2 hours, then all the way up to 23 hours –  and then it just stayed there. Now I know the iOS, or whatever they call it on the iPad, is big, but 23 hours big?  I double-checked the download throughput on my NetEqualizer status screen, and sure enough, it was only running at about 60 to 100kbs, no where near my advertised Business Class 20 megabits. So I did a little experiment. I turned on my VPN tunnel, unplugged my iPad for a minute, and then took some steps to hide my DNS (so Comcast had no way to see my DNS requests).  I then restarted my update and sure enough it sped up to about 10 megabits.

To make sure I was not imagining anything I repeated the test.

Without VPN  (slow)

With VPN (fast)

So what is going here, does the VPN make things go faster?   No not really, but it does prevent Comcast from recognizing my iOS update from Apple and singling it out for slower bandwidth.

Why does Comcast (allegedly) shape my download from Apple?

The long story behind this basically boils down to this: it is likely that Comcast really does not have a big enough switch going out to the Internet to support the deluge of bandwidth needed when a group of subscribers all try to update their devices at once.  Especially during peak hours!  Therefor, in order to keep basic services from becoming slow, they single out a few big hitters such as iOS updates.

How to get Access to Blocked Internet Sites and Blocked Video Services


Have you ever taken a flight where video access is blocked?

Perhaps you are in a European Country where a well known provider blocks Skype to force you to use their phone service?

All you need to get around these suspect practices is to use a standard VPN, and it is easier than you think. I am on a flight right now and am going to try watching a movie. I am using IPvanish, but there are many VPN services you can choose from, and use for just a few dollars a month.

Just today, I was trying to restore my iPad to factory defaults. I supposedly have 20 megabit business service from Comcast.  While running the restore, I noticed that my download speed was running at about 200kbs max, and yet speedtests were showing no problems with my connection. So I rebooted my computer, started up my VPN, and found out that I am not getting my full 10 megabits.  What can I infer from this ? Well, I can only assume that Comcast has some sort of bandwidth control and is identifying my Apple device download and slowing it down. I was able to repeat this test.

By the way, I did get to watch a movie on my flight – success!  And that was a much needed break from work.

Note: There is one more trick required to un-block for some VPN services and some  streaming sites.  You may need to hide your DNS activities as well, since some blocking services will also block the DNS request before you even get to the site.

For example, the VPN tunnel will hide what you are doing from anybody, but the initial lookup service to get the site may not be hidden, because you are likely using by default your provider(s) DNS service. So, you should also set your DNS service to a third party site other than your provider after you fire up your VPN. In this way DNS requests should also be encrypted.

%d bloggers like this: