Stalking my stolen phone with Tailscale

Here’s an interesting use case for a VPN. My phone was stolen a few days ago.

I know, can hear you thinking: “Why, Ben, admit you just lost it…” – you cynic. To which I counter I noticed it was missing within a few minutes, and by that time the “Find my Phone” service couldn’t find it. So I merely dropped it, we can be sure that something turned the phone entirely off during that few minutes. Ok, ok, maybe I dropped it that then a car ran over it, or something. That something needs to have been in the walk from the gate at the airport to the shuttle bus into town.

So back to the VPN. The next morning, it occurred to me that I have Tailscale installed on all my devices. The Admin console in tailscale reports the last time the device was part of the VPN. Sadly, my phone was last seen, shortly after my plane’s arrival at the gate.

The phone is new and expensive, I’m sad. And I’ve been checking to see if it shows up with the find my phone service, no luck. But Tailscale’s admin console updated the last seen around 4pm yesterday. Frustratingly, I noticed that 20 minutes later. Too late to get the phone’s location.

I’ve rigged up a script that’s polling the stable Tailscale VPN IP address of the phone. If it reappears, that script will send me a text message. I’m not clever enough to have puzzled out how to invoke the Android find my phone service at that point. If I’m lucky, I can capture that, manually, before the phone gets turned off.

Meanwhile, I discovered my credit card has purchase protection for this. So I’m getting schooled in the subcontractor’s policies and procedures for that benefit. And, I’m now learning all kinds of things about “filing a police report” and the policies and procedures of the Massachusetts State Police Records Center. So much learning! Oh, and TextBelt has an affordable API for posting SMS messages over HTTP


I’m considering switching to a new Internet Service Provider (aka an ISP). Their service is cheap and fast. But it is optimized to lower their support costs. So they do not do lots of things. I don’t get an IP.v4 address, only an IP.v6 address, and no port forwarding. I.e. they don’t expect the buyers to run services.

Currently, I have a handful of services. These are all private. A little web server, my collection of ebooks, a gateway that lets my Android phone use Apple’s Messages, a time machine server, etc.

I was pleased to realize that’s not a big deal. I have tailscale setup, so I can just let it dig a way out. That said, it doesn’t quite work if I want to occasionally let somebody outside the household access one of these services. And then there is always the worse case situations for which I prefer to have ssh access.

So here is work around. Cloudflare free tunnels.

If you install their software agent which MacOS is easy:

brew install cloudflare/cloudflare/cloudflared

You can then reveal any service by doing:

cloudflared tunnel --url http://localhost:8765

The log that emits will show you a random URL to reach (say and if open that the tunnel will show you what ever the service listening on port 8765 of the localhost offers it.

FYI – you can quickly establish a service to test this with using python’s http.server module. For example, here we stand up a service that will reveal our /tmp directory on port 8765.

python3 -m http.server --directory /tmp 8765

That should get you started


Notice that at no point did you set up an account at Cloudflare.  To build more persistent tunnels you need to do that, but it will remain free.  To get tunnels that use your own domain names you will need to use their free DNS.  Their doc is ok, as are the tutorials out there.

“Are there no prisons?” asked Scrooge.

“Robert Francis Krebs, who spent most of his adult life behind bars, told investigators he robbed the $221 million Pyramid Federal Credit Union in Tucson, Ariz., in January 2018 because he was unable to adjust to life on the outside and wanted to go back to prison.

On Tuesday, the 84-year-old career criminal convicted of armed bank robbery by a jury in March 2020 was finally granted his wish.” – Credit Union Times

The penal system doesn’t contribute to Social Security.

“I feel some hope finally”

There is some buzz about an alternative approach to COVID-19 testing.

Let me take a stab at explaining this:

You have a hundred dollars to spend on testing and two options; which do you pick?

Option A: buy one test.
Option B: by a hundred test kits.

Option A: Results in 1-10 days.
Option B: Results in 30 minutes.

Option A: Detects infection with 24 hours of infection.
Option B: Detects infection with 30 hours of infection.

How may tests per day could the entire nation do?
Option A: A third of Million.
Option B: Unlimited?

How often can I test my entire school, office, factory?
Option A: monthly, maybe weekly
Option B: daily

Who should self quarantine for 14 days?

Option A: Anybody how might have had contact.
Option B: Anybody with a positive test.

On the podcast where I learned about his the gentleman explaining this new approach suggests that this could drive the reproduction rate below one nearly instantly. It is easy for people to self-quarantine in a timely manner.

One of the experts: “I am blown away, I feel some hope finally.”


We’ve all been advised to stay home and avoid unnecessary contact with other. Concerns about a COVID-19.

Google maps has a useful feature, i.e. a little chart showing how crowded a store is. For example right now the nears Costco is half as crowded as usual.

Costco looks to be empty right now.

Yesterday and early this morning it was running about double the usual crowd. People rushing to stockpile supplies. Maybe the rush is over, maybe people know or think the store has been stripped clean.

I’ve noticed, over the last few days, the big ethnic grocery stores are generally much calmer. Some actually look like people are avoiding them.