The Ocean Race 2023 leg 2: Cabo Verde to Capetown

PIL66 - XL2

Super Anarchist
2,843
975
Stralya
Could someone save me hours of reading...

Not just the reading, it's the hours of trying to decipher the Franglais that is the problem.
Anyway, someone said Paul M. was using Biotderma anti-itch cream. He should use Sudocrem of course, applied by the nurse they all have on board.
A line from Witty and the Scally's that got him in some trouble
They have killed two sails and were the furthest east through the doldrums. They won earlier but then the west won out.
Maybe the sails..... but they were within 30 miles of the pack so can't be the East position back in the doldrums.... that was Guyot
 

Rocky

New member
33
37
A line from Witty and the Scally's that got him in some trouble

Maybe the sails..... but they were within 30 miles of the pack so can't be the East position back in the doldrums.... that was Guyot
Niall mentioned briefly in one of the videos, two days ago I think, that Biotherm had a problem with the foil casing. I don’t know if our how much they slowed down because of it, haven’t heard more about it.
 

Rocky

New member
33
37
Now all boats gybed, not ideal for the 24h record since that does slow them down for a bit, 11th standing at 541nm, Malizia at 532 and Holcim at 508. They are all a bit slower now.
 

noaano

Anarchist
500
258
This actually isn't quite true, you can tell if someone is posting to WhatsApp, or to YouTube, very easily, the domain names you visit are not encrypted over a standard connection, this is very easy to track (and why you should use a VPN on any untrusted network [which is basically every network], free networks often track this usage information to sell on).
This actually isn't quite true, as both IOS and Android (and other main OSses) use and support encrypted secure DNS and have for quite some time. The domain name will remain hidden.

As most cloud backed apps use multiple regions, CDNs and POPs, the service involved cannot be determined from IP address either, not really.

So no, its not easy nor really possible anymore.

If a well configured SSL-VPN is used, its even less possible, as all traffic goes through one hidden pipe which is very hard to tell anything about from outside. There are more exotic options in hiding your traffic and/or making it look like something else.

So what you do when you control the connection (the Immarsat connections) is block VPNs, block any url except the race tracker, grib downloads (which I believe are provided by the race office again, no external ones allowed) and permitted social media,
Inmarsat has no such advanced filtering, so it would need to be built on top. Firewalls on boat, which could be bypassed as inmarsat equipment is pretty standard.

And filtering todays advanced encrypted protocols is way hard even on the hard.

And if someone wanted, Tor would get through most firewalls with some clever tweaks. Heck, it was (partly) developed to get around nation state class actors.
now if you don't trust the teams
Only way is to trust the teams, no other option. But very hard to police.
 
Last edited:

Herman

Super Anarchist
2,119
1,567
The Netherlands
Herman - what initializing info are you using on your runs. PRB has a longer elapsed time but shows finishing in front of Malizia. Are there slightly different timestamps on the positions?
Full disclosure; I routed with these settings below in the screenshots. For the next routing I'm thinking of powering-up that windscale factor to 105% or 110%. As advised in the Expedition book by Will Oxley. In order to better account for mast height as winds are forecasted @ 10 meters.

I did not save the routing from last night so I can't give you further details on the timestamps for Holcim-PRB and Malizia.

Opt routing settings.png


Opt advanced.png
 

despacio avenue

Anarchist
975
217
Alaska
Think this hasn't been shared yet: Will talking about why they were back at the start of leg 2 and the damage on the trailing edge of the foil. He also explains how they try to keep it in 1 piece.


With Melitizia now at or near the lead, Will's calm analysis was spot on. He seems like a very smart, even tempered guy who has been performing many of the key repairs to the foil, removing the fishing net that was wrapped around the foil, and the go-to person for the OBR.
 

shebeen

Super Anarchist
With Melitizia now at or near the lead, Will's calm analysis was spot on. He seems like a very smart, even tempered guy who has been performing many of the key repairs to the foil, removing the fishing net that was wrapped around the foil, and the go-to person for the OBR.
indeed. he filled in for Boris on the Shirley robertson pre race podcast and comes across as an incredible package for the boat. Look forward to seeing him kick on for his own IMOCA campaign (which is his plan).
 

JonRowe

Super Anarchist
1,975
1,096
Offshore.
This actually isn't quite true, as both IOS and Android (and other main OSses) use and support encrypted secure DNS and have for quite some time. The domain name will remain hidden.

As most cloud backed apps use multiple regions, CDNs and POPs, the service involved cannot be determined from IP address either, not really.

So no, its not easy nor really possible anymore.

If a well configured SSL-VPN is used, its even less possible, as all traffic goes through one hidden pipe which is very hard to tell anything about from outside. There are more exotic options in hiding your traffic and/or making it look like something else.

This pressumes that the basic permission is to allow rather than deny, and thus trying to disguise "bad" traffic as routine, however on a properly locked down system where there is an allow list to only your services with certain routes to certain hosts this doesn't work, as there is no ssl-vpn or encryped DNS available, just a white list of ips, yours (or your proxy).

Inmarsat has no such advanced filtering, so it would need to be built on top. Firewalls on boat, which could be bypassed as inmarsat equipment is pretty standard.

You seal the hardware in a box, penalty for breaking the seal, this is how other such "easy to bypass" checks are done, such as in the Vendee when they had to keep grab bags in certain places. (My liferaft and batteries are sealed in this fashion in the Mini class).

And filtering todays advanced encrypted protocols is way hard even on the hard.

Doesn't matter if you're only allowed to access certain services at certain routes.

And if someone wanted, Tor would get through most firewalls with some clever tweaks. Heck, it was (partly) developed to get around nation state class actors.

Tor was designed to get around filters on a generally open internet, disguising your traffic; and exists in part because it was easy to simply block vpns etc, so again wouldn't work if you can't get to any other endpoint.

Only way is to trust the teams, no other option. But very hard to police.

It really depends on what their budget was for setting this up, on the VO65s they were all supplied gear.
 

noaano

Anarchist
500
258
This pressumes that the basic permission is to allow rather than deny, and thus trying to disguise "bad" traffic as routine, however on a properly locked down system where there is an allow list to only your services with certain routes to certain hosts this doesn't work, as there is no ssl-vpn or encryped DNS available, just a white list of ips, yours (or your proxy).
This requires you won't allow any traffic directly outside, everything has to go via man-in-the-middle proxy.

This is simply not an option for say Whatsapp, which is visibly used for example.

How would you limit the DNS for example? Most public DNS servers support secure DNS, 1.1.1.1 being the most popular one.

And even DNS is a risk, there exists many implementations of anything-over-dns. So if you allow arbitrary name resolution, that is a vector to send any traffic, even if you control the DNS server, they will happily forward your queries containing the covert payload.
You seal the hardware in a box, penalty for breaking the seal, this is how other such "easy to bypass" checks are done, such as in the Vendee when they had to keep grab bags in certain places. (My liferaft and batteries are sealed in this fashion in the Mini class).
Yes, but then all the equipment involved has to be supplied, and that requires huge resources. I believe now most everything involved is supplied by the team itself.
Doesn't matter if you're only allowed to access certain services at certain routes.
You have to lock down everything and transmit everything via a scanning proxy, then yes.
Tor was designed to get around filters on a generally open internet, disguising your traffic; and exists in part because it was easy to simply block vpns etc, so again wouldn't work if you can't get to any other endpoint.
Tors beauty is you can transport on and disquised as almost anything else, network traffic wise.

But there are many other ways. If you let any bytes out, there is a way. Airgapping is the only way to be sure, and even then you have vectors, like Stuxnet.

Anyhow, it is hard to make it tight and even then you have to deal with covert channels like code language. "How is your tubular alloys holding?"etc :)
 
Last edited:

Herman

Super Anarchist
2,119
1,567
The Netherlands
Weather routing Feb 8th

Pic 1 has the big pic for 06 UTC, the MSLP chart for the Southern Atlantic up to the South Pole provided by the South African Weather Service. The fleet is around Gough Island, I presume you know where to find that by now. Any tips on how to import this map into Expedition are welcome.

That cold front east and south of Gough Island past the fleet earlier at an enormous speed moving east. The fleet has come into relative stable weather compared to the last 24 hrs when they were enclosed by 3 LP zones. Ideal reaching weather. The St Helena HP has expanded with a 2nd HP zone south of Capetown. A newly developing LP zone can be seen south of St George Island. Currently with 990 hPa pressure in the nucleus, so not as powerful as the LP south of the fleet with 950 hPa.

Pic 2 has the Sat image IR for 0140 UTC, GFS 02 UTC and extrapolated / estimated boat positions 02 UTC. Stuff seems to match. Red arrow is Gough Island. One boat observation (which is a white elephant in these parts) can be seen in the bottom left red box. Predicted wind for 02 UTC does not match observation @ 10 UTC. But does for predicted wind @ 10 UTC for speed and direction. See pic 6. One or more fronts can be seen west of that boat.

Pic 3 has the Wx routing and Pic 4 the Wx table using the ECMWF ensemble forecast @ 0.4 degrees resolution. ETA has again come forward. Biotherm the only one projected hitting the AEZ.

Pic 5 has the Wx routing and the Wx table using the ECMWF ensemble forecast @ 0.4 degrees resolution and wind scale set to 105%. ETA’s pushed +/- half an hour earlier for the current top-3. Guyot's ETA a bit more changing, 1,5 hrs earlier.

For the coming days weather says head SE with winds around 20 kts until it is time to gybe to Capetown. Where a small HP zone is projected to wait at that time for them, and disappearing *just* before they should arrive. We’ll see how that plays out when they are closer to CT and the forecast gets more solid. See pic 7.

Pic 1 MSLP 06 UTC
Pic 1 The big pic SA MSLP 06 UTC.gif

Pic 2 SAT IR 0140 UTC and GFS 0200 UTC
Pic 2 SAT IR 0140 UTC and GFS 0200 UTC.png


Pic 3 Wx routing @ 100% windscale GFS
Pic 3 Wx routing @ 100% windscale GFS ensemble.png


Pic 4 wx table @ 100% windscale
Pic 4 wx table.png


Pic 5 Wx routing @ 105% windscale GFS ensemble
Pic 5 Wx routing @ 105% windscale GFS ensemble.png


Pic 6 boat observation matches forecast (for once) with 2 fronts drawn by me
Pic 6 boat observation.png


Pic 7 HP zone for Capetown projected
Pic 7 HP zone for Capetown.png
 
Last edited:

JonRowe

Super Anarchist
1,975
1,096
Offshore.
How would you limit the DNS for example? Most public DNS servers support secure DNS, 1.1.1.1 being the most popular one.

You just don't allow access to any unlisted ip addresses, and the router is configured to provide DNS itself (this is the case with most routers, they nearly all provide a DNS resolver) which will lookup from your DNS server, which will only resolve addresses you tell it to.

This requires you won't allow any traffic directly outside, everything has to go via man-in-the-middle proxy.

All traffic goes through a router anyway (by necessity, this isn't additional hardware) which can prevent access except to an allow list of known ip addresses for services, that allow list of known ip addresses can be provided by your own DNS which can be restricted to only lookup allowed services.

This is simply not an option for say Whatsapp, which is visibly used for example.

Its an option for WhatsApp, it has DNS addresses which you're controlling look up to and that can either drive the allow list or you can fixate which ips are returned.

Should probably stop dragging the thread off topic but happy to discuss further in pm if you're interested.
 
Top