‘Security through obscurity’ or simply ‘Security incompetence’?

If you use a WebControl in a Windows Presentation Framework application that access to local JS files, it show this warning:

If i add
at the top of index.html,
IE 11 think is loaded from about:internet and will not display the Security warning. Currently i don’t know if is also a security issue.

Tested with Windows 10 – IE 11.

RGB Bulb Review

I’m testing different RGB bulb in my home automation environment, to research the best bulb in the market.
I will update this post with my other research and with people comments.

Short review, current winner: Aeon Labs Bulb.

Philips Hue

Website: http://www.meethue.com
Protocol : ZigBee


-A lot of app for it


– Only HSB colors, difficult to set a precise RGB color.
– Only 3 values for colors: Hue, Saturation and Brightness.
– Poor colors quality. Read the BravoRomeo review here.
I can’t understand the difference between yellow and green with my Philips Hue.
– Slower, slower reaction when changing colors. For example if i set a sequence of 9 colors (without fade), it took around 3 seconds to do all.


Aeon Labs Bulb Gen5

Website: http://aeotec.com/z-wave-led-lightbulb
Protocol: ZWave
ZWave SwitchColor CC version: 1


– A lot of led
– 5 values for colors: RGB + Warm White + Cold White
– True, exact RGB colors
– Faster reaction to colors. For example if i set a sequence of 9 colors (without fade), it took around a fraction of second to do all.


– It seems that don’t support fade between two arbitrary RGB color. It’s limited to simply preset of effects like rainbow.


Zipato RGBW bulb – rgbwe27zw.eu

Website: http://www.zipato.com/default.aspx?id=24&pid=81&page=1&grupe=
Protocol: ZWave
ZWave SwitchColor CC version: 1


– 5 values for colors: RGB + Warm White + Cold White
– True, exact RGB colors
– Faster reaction to colors. For example if i set a sequence of 9 colors (without fade), it took around a fraction of second to do all.


– Don’t support any kind of fade or effects. Confirmed by their support.

Hotmail and Gmail use blacklists of entire subnets for a single involved IP? Unbelievable

A mail to me from Leaseweb:

Dear sir, madam,

It appears you are hosting a TOR node on your LeaseWeb IP address [omissis].
This has resulted in the block of a (part) LeaseWeb IP subnet. (/24)
As the subnet is added on the SECTOOR blacklist (http://www.sectoor.de/tor.php) this is affecting customers in the same range as yourself.

The SECTOOR blacklist is e.g. implemented by Hotmail, Live and Gmail. This results in other customers not being able to longer use the mail services of these companies.

[omissis details]

Therefore, we kindly, yet urgently ask you to disable the connection to the mentioned ports within 24 hours. Failure to comply and respond (confirm) to this warning, will result in a block of your involved IP address(es).

Thank you for your co-operation and understanding.

Kind regards,

Team Manager Abuse Prevention
LeaseWeb Global Services B.V.

PGP Public Key

Version: GnuPG v2


An alternative approach to so-called WebRTC leaks

Posted on Reddit here: http://redd.it/32d94q

Recently there were a lot of discussions about the WebRTC IP Leak. Almost all of them are talking about a “Security flaw” or treat it as a bug.

However, many articles about the WebRTC [leaks] talk about a solution: disable WebRTC in favorite browser.
Two questions:

  • Is it really a “Security flaw” that needs to be fixed in browsers? Look at browsers bug-reports to understand how many different opinions exist on this.
  • Why the browser can go outside the VPN tunnel? How many app/protocols can do the same things of the WebRTC leak? So, is disabling WebRTC a sufficient solution for those who use a VPN to avoid exposing their ISP IP address or traffic?

I will explain details of the issue. But first, if you are connected to a VPN service right now, try this:

ipdetection.zip (source available here )

or, under Unix try this (try also as root):

for s in `ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'`; do curl --interface $s http://www.clodo.it/projects/whatismyip/; done

Is your real ISP IP leaked?


When a user connects to OpenVPN, the main interface (ethernet, wifi etc) is still available (also to talk with the VPN server itself).
And another network interface is opened (tun/tap).
This is the scope of OpenVPN: create a tunnel.

As a plus, OpenVPN can be configured to push a directive from the server to their client: “redirect-gateway”.
This tells at client-side that ALL traffic needs to be redirected inside the tunnel by default.

Almost all VPN services use a specific option of that directive: “redirect-gateway def1”.
From OpenVPN manual

def1 — Use this flag to override the default gateway by using and rather than This has the benefit of overriding but not wiping out the original default gateway.

Now, this means that the original route are still active, but there are other routes created by OpenVPN that override the original based on precedence.
But is a route assigned to the standard interface, while the new and are assigned to the TUN interface.

In every OS, when a connection/socket is opened, the program can choose a specific network interface that needs to be used.
This is not common, because most applications don’t need that and let the OS use the default network interface.

The program above do exactly this: bind to specific network interface to query an external what is my ip address service.
When binding to the standard interface, the overriding rules of OpenVPN are simply ignored, at least under Windows.

I think browsers do the same thing in WebRTC discovery.

Can a VPN service based on OpenVPN resolve the issue server-side, transparently to their users?

Simply don’t use the def1 option in redirect-gateway directive.
Without def1, OpenVPN client removes totally the route, and re-creates it at disconnection.

But I don’t recommend this approach: with def1, if the OpenVPN process is terminated, the overriding routes are automatically deleted or unused, and traffic continues to flow over the standard interface.
Without def1, if OpenVPN process is killed/terminated, the user remains without any route for his/her traffic.

For me, a good VPN service needs to use the def1 option, for the final consideration below.

Final consideration

WebRTC IP Leak is not a fault of browsers.

It is not a fault of OpenVPN (that is designed to be a Tunneling software, not an Always hide my traffic software).

It is a fault of users, because they trust the standard OpenVPN client for things out of its scope, or trust a badly-written VPN service client software.

Users need to use a VPN service that has a software addressing this kind of issue, or need to understand how to configure a firewall or a router.

*Disclaimer: *
I’m the author of the client software of a known VPN service. Anyway I don’t cite it in this reddit.


Update: sources released on GitHub.

I’m done some game/experiment during my study on DK2 gameplay, this is one of them (about body movement and reflexes). Maded with Unity 5.0.18 Indie and Oculus 0.4.4 sdk.


YouTube Preview:

A guy that enjoy my game (with the correct gameplay: without controller!)

Windows: http://files.clodo.it/projects/vrspacetunnel/VrSpaceTunnel.windows.zip (45 mb)
OS X (UNTESTED): http://files.clodo.it/projects/vrspacetunnel/VrSpaceTunnel.osx.zip (47 mb)
Linux (UNTESTED): http://files.clodo.it/projects/vrspacetunnel/VrSpaceTunnel.linux.zip (57 mb)

The game need an initial calibration, to detect the maximum and minimum position a player can move it’s head.
Press X to reset the calibration. Press R to reset Oculus Rift orientation.
Press SPACE to start (and restart at game-over).

Can be played seated, but i recommend to play it stand up, with hands on desk.

Works at 75fps with my GTX 570 on an old i7. Press F11 to see the FPS, and 0,1,2,3,4,5 to change graphics quality (0 fast, 5 is best).

At game-over, press SPACE to reset and look left to check if you beat your highscore.

I released all source-code under public domain. Not well commented, it’s just an experiment. It works with Unity Indie.
http://files.clodo.it/projects/vrspacetunnel/VrSpaceTunnel.src.zip (85 mb)

The zip contain parts of some third-party assets, but all of them are totally free in Unity Asset Store.

Music by Imphenzia: http://soundtrack.imphenzia.com/ – i used the watermarked version to allow me to release the entire project out-of-the-box under open-source.

No more improvement are planned, unless people like it 😛

My best score is 4307 meters 😛 Enjoy!

[ITA] Untitled 3D Platform game

Anni fa, nella vana attesa di un Mario Galaxy 3, provai a scrivermi (for fun) un platform 3D simile, poi abbandonato perchè troppo impegnativo per il tempo a mia disposizione. Una sera di parecchi anni dopo ho ri-aperto il progetto e ho realizzato un video-racconto. Enjoy.

Discussione su Reddit: https://www.reddit.com/r/italygames/comments/7uvptq/racconto_di_un_prototipo_mariostyle/