Assorted Nerdery

Boston Public Library

Sat, 27 Sep 2025 20:09:26 -0400

Cool discovery: Anyone who has their primary residence in the Commonwealth of Massachusetts, works in Massachusetts, or owns residential property in the Commonwealth can apply for and receive an eCard for the Boston Public Library. You don’t even have to physically show up at any of their branches to get these benefits.

The library provides a ton of digital resources to Massachusetts residents.

Free access to the Boston Globe and Boston Herald, NYTimes and WSJ websites.
Access to The Economist,Christian Sciene Monitor, and many other magazines through Pressreader.
Streaming music through a service called Freegal
Streaming movies and television shows through a bunch of services likeKanopy, and biblio+
Lots of ebooks and other magazines throughOverdrive / Libby,Boundless,Flipster,
Technical books, audiobooks and online courses from O’Reilly

There’s even a free Headspace membership available for those who are in need of meditation!

Go check it the online resources out!

One year with PV

Sat, 21 Dec 2024 11:32:25 -0500

In October 2023, I had 23 solar panels installed on my roof in the Boston area. This post series will summarize our experience with the system thus far.

Procurement Process

We went with a company out of Arlington, Massachusetts, for the project. I found the company using EnergySage, a quote aggregator. EnergySage is a convenient way to get multiple quotations from different local companies. There are others, including Solar.com, who provide a similar service. EnergySage is a Boston company, so I preferentially chose them.

The quoting process with EnergySage is straightforward. You put in information about your house, which gets farmed out to several companies to provide budgetary quotations. They provide a convenient comparison table for the quotes. In my case, I received seven quotations back, with more or less equivalent equipment. I selected a subset of these to pursue further – some quotes were well out of line with the others. Two of the vendors were very responsive, and I selected one of them.

The nice thing about EnergySage is that their platform shields you from receiving spam calls. You can communicate with the companies through their portal before providing your contact information to the short-listed companies. I started seriously considering PV in 2021 and went through a round of project quotations before pulling the trigger in 2023.

System Description and Costs

In August 2023, the winning quotation priced the system at $3.26/W for Hanwa Q-Cells 405W panels paired with Enphase IQ8-M inverters.

Based on a report released by EnergySage (“Energy Sage Marketplace Intel Report H1 2024” n.d.) in October 2024, I paid what has become the average cost today. If you’re interested in PV, this report is a good read on the current market situation. It’s incredible how cheap solar can be in areas that don’t have good net metering policies and cheap labor.

Table 1: System Costs and Rebates

Milestone	Amount ($USD)
Down Payment	1000
One month Prior	14679
Installation Complete	14697
Permission to Operate	1000
Total Outlay	30376
Incentives
Federal Investment Tax Credit (30%)	- 9112
Massachusetts Tax Credit	- 1000
Net Cost	20264

After tax credits, the system was around $20k. Both tax credits came back in early 2024 when I submitted my taxes for 2023. The tax credit is non-refundable, meaning you need to have a tax liability larger than it to take full advantage, though it is possible to carry it over to a subsequent year.(“Homeowner’s Guide to the Federal Tax Credit for Solar Photovoltaics” n.d.)

Other related expenses include:

Table 2: Other Related Expenses

Item	Cost
New Roof	$14000
Electrical Panel Upgrade	$3500

Although necessary for the project, these expenses are not formally considered part of it. My roof already needed replacement, and the electrical panel replacement happened as part of a broader household electrification effort. Including these as part of the ROI calculation is not fair.

The final design for my system included 23 Hanwa Q-Cells Q.PEAK DUO BLK ML-G10+ panels. These panels are paired with Enphase IQ8M microinverters to reduce the amount of clipping. The inverters have a maximum output power of 325W, which is about 25% less than the solar panel’s maximum output. Even the panels can cause clipping on the inverters, this is occurs rarely. Panels are usually not installed in ideal locations – the panels are not facing due south or on a tracker, they’re not at the perfect angle, etc.

Clipping on our system has happened since the inverters are undersized compared to the panels, but it’s not common. Figure 1 shows an example of when this happens. It took some digging to find this in my archives.

Figure 1: An example of power production over a day showing clipping. The power output is flat between the red vertical lines, indicating that the system is producing the maximum amount of power.

Process

After signing the contract to move forward with the system, a representative from the vendor came out to visit my home and make some measurements of the roof. They took photos of the electrical panel and looked in the attic at the rafters to check the spacing and size.

After this, the engineering team at the vendor got to work and submitted a pile of paperwork to the utility and my city to obtain the necessary approvals and permits. The design underwent multiple iterations due to some new fire code requirements described in Headaches.

The timeline from signing the papers to getting Permission to Operate (PTO) was 108 days. The actual installation took only two days.

During the installation, there were two inspection steps. The city is supposed to inspect the physical installation to ensure that all setbacks are maintained and the system properly ties into the framing. They are also required to sign off on an electrical inspection after everything is tied in. After this inspection, the installer can ask the utility to make the meter swap and grant permission to operate the system.

In my case, I believe that the city waived the physical inspection of the equipment, but they did come out for the electrical inspection.

Kudos to the technician from Eversource for working Black Friday and swapping my meter out.

Headaches

Setback Requirements

On December 9, 2022, the Commonwealth of Massachusetts adopted the 2021 NFPA 1 fire code. The new edition makes the access requirements on the roof stricter than in the past.A 36" walkway on the roof plane is now required, and the setback from the roof ridge should also be 36".

Section 11.12 describes the requirements for photovoltaic systems, but due to some crazy licensing restrictions I cannot copy the relevant sections here. They may be viewed here for free, but an account is necessary. They also have ridiculous password requirements, considering it’s a free account.

Unfortunately, this new code means we had to install a smaller array than the initial design. We lost four panels from the south-facing portion of the array and had to put some panels onto a less productive face.

Equipment Problems

Thus far, we had one issue with the system at installation. All of the microinverters communicate with a piece of equipment called the IQ Combiner 4.

This unit manages:

Monitoring the grid connection to shut off the power if the grid drops.
Communicating with the microinverters underneath each panel.
Monitoring the power output and, optionally, consumption from the electrical panel
Sending data to the Enphase Enlighten monitoring system.

The Ethernet connection on the IQ Combiner 4 unit was faulty. The Enphase remote support RMA’d a board for us and, the installer replaced it during a follow up visit.

Since then, we have had zero issues.

Next Steps

In the next post, we’ll review the system’s electrical performance, and in the third post in this series, we’ll cover the financial performance.

References

“Energy Sage Marketplace Intel Report H1 2024.” n.d. Accessed November 21, 2024. https://www.energysage.com/data/.

“Homeowner’s Guide to the Federal Tax Credit for Solar Photovoltaics.” n.d. Energy.gov. Accessed November 27, 2024. https://www.energy.gov/eere/solar/homeowners-guide-federal-tax-credit-solar-photovoltaics.

Hybrid Water Heater Review

Sat, 10 Aug 2024 23:00:00 -0400

One of the recurring joys of home ownership is plumbing. In 2021, the water heater in our home developed a small leak. Fortunately, the leak was small enough where we had some time to work out the next steps. Our long-term goal for our home is fully run on electricity for both comfort and climate reasons.

The domestic hot water system that existed in the home when we bought it used the indirect heating loop in the oil boiler and an unplugged electrical water heater as a storage tank. The boiler was setup to maintain a set point between 120F and 170F all year round. Looking at the summer usage of the boiler, we used between 0.5 and 1 gallon of oil per day to keep the boiler hot. Extrapolating this, I estimate that heating water was burning around a full tank of oil per year – around $900/yr at the $3.50/gal price in Feb 2022.

Installation

The first step in installing the HPWH was to have our electrician run a 240V 30A circuit to the location. Our electrician did this some weeks prior to the water heater’s arrival. Although the water heater’s normal consumption is around 400W, it has traditional heating elements which turn on in a few different scenarios:

Hot water utilization is too high for the heatpump to keep up
The ambient temperature is too low in the area the unit is installed.
The heat pump has some mechanical problem or coolant leak which prevents the heat pump from operating.

The subsequent steps were performed by a local plumber. The existing storage tank and hardware were removed , and the indirect loop on my boiler was capped off. The new hot water heater was connected to the existing hot water line. Finally, a condensate pump and flexible tubing were connected to move the condensate created by the cold side of the heat pump to a drain.

The version of the water heater that I bought has an automatic shutoff valve and a leak detection circuit, so we installed the unit onto a drip pan. This will contain any water which may spill from a leak, and concentrate it so the leak detection circuit shuts off the cold water input.

As I recall, the manual suggests connecting the water heater to the rest of the house using a flexible line, however the plumber who installed it used rigid copper for the connections. In addition, the manual suggests using a heat trap on the cold water input. This was not done in my installation, but is on my to-do list to correct. I’d suggest reading the manual and reviewing the installation plan with the installer prior to commencing work. This isn’t to complain about our installer – they were good to work with and did clean work at a reasonable price on a fast schedule.

Costs

It always annoys me when I read great writeups of projects, and they skip the installation costs. Of course, this happened in 2021, and prices are strongly location dependent.

Item	Manufacturer	Model	Price	Store
Water Heater	Rheem	Proterra 50gal XE50T10HS45U0	$1514.13	Home Depot
Drip Pan	Everbuilt	24" Al Drip Pan	$20.98	Home Depot
Condensate pump	Little Giant	VCMX-20ULST	$49.95	Home Depot

At the time, the Chase Sapphire Card had a Pay Yourself Back option at Home Depot. I was able to use credit card points to pay for the water heater and the other items.

The installation costs:

Item	Cost
Electrical Circuit	~$300
Plumbing and Disposal	$800

In 2021 Massachusetts, MassSave, the state efficiency program offered a $600 rebate if you installed a heat pump water heater. Since then, both the state and feds offer even more generous rebates to install these efficient systems.

Performance

We have owned the water heater for approximately three years at the time of writing. The elements on the tank kick on ~5 times per month on average, mostly during the wintertime when multiple sequential showers happen. The elements have been turning on more frequently since last June 2023 when I replaced our highly efficient shower head with a model which uses a much higher flow. You can see in the plot below that the summertime usage is higher after this. One item to note is that the power monitoring system was not hooked up during August / September 2022 while our electrical panel was getting upgraded.

Figure 1: Power usage since installation

It’s also interesting to look at a single cycle. In the plot below, you can see how the power used by the water heater increases with time as the water in the tank gets hotter.

Figure 2: Power usage during a heating cycle

Finally, this is a plot of a water heating cycle where the electric elements kicked on during a particularly long heating cycle during the winter. I’m not certain what was happening at this time, but I suspect several showers were taken along with dishes and laundry. There are multiple times where the HPWH power usage goes down – indicating that the temperature in the tank is lower.

Figure 3: Power usage during a heating cycle

Carbon Footprint

On another project, we calculated that our old boiler system used approximately a full tank of oil each year. This was done using data from a Smart Oil Gauge which reports the oil level in my tank hourly all year round. We looked back at the usage from the summertime before we replaced the water storage tank with our HPWH, and extrapolated the usage from that to the full year. Not exactly a precise measurement, given that the boiler is on in the winter time anyway but it’s a reasonable approximation.

The Energy Information Administration publishs the carbon emission equivalent for a number of fuels. Diesel or Fuel oil releases approximately 22.5 pounds of carbon dioxide per gallon. Using the estimation that heating water for domestic use burned a full 275 gallon tank of oil annually, we can calculate that hot water caused around three tons of carbon emissions from my household.

EIA also publishes the carbon intensity of the Massachusetts grid as around 952lbs per MWh. Our water heater used 700kWh (0.7MWh) in 2024, making our carbon dioxide emissions from the HPWH around 666 lbs of carbon – or around an 89% reduction in carbon dioxide! We have a PPA agreement in place to purchase 100% renewable power, which should reduce that further – though that’s mostly an accounting trick. In addition, we have solar panels on our roof which should reduce our usage further.

Conclusion

We’ve been quite happy with our Rheem Proterra HPWH so far. Others online seem to have reliability issues with the newer units, but we have not encountered any problem with ours yet. Our unit provides the hot water that we need reliably and efficiently. Hopefully we will not have to exercise the 10 year warranty!

Temporarily Enabling Analytics

Mon, 04 Sep 2023 14:00:00 -0400

I’m trying an experiment with Cloudflare analytics and have enabled it on this page.

I’ve enabled a Javascript beacon on the page footer which supposedly allows me to collect pageviews.

According to Cloudflare, this beacon plays nice with keeping readers information private.

Cloudflare Web Analytics does not use any client-side state, such as cookies or localStorage, to collect usage metrics. We also don’t “fingerprint” individuals via their IP address, User Agent string, or any other data for the purpose of displaying analytics.

ELECTRIFY ALL THE THINGS!

Fri, 13 May 2022 16:00:00 -0400

If you’re coming here from the Chelsea Research Festival, I’ll be uploading more information about the project in the coming days.

T-Mobile Home ISP Service Review with OpenWRT

Thu, 20 May 2021 17:39:00 -0400

Comcast and I have long had a strained relationship. I recognize that the service they’ve offered in the houses and apartments that I’ve lived in has been reliable. However, I’ve never been a big fan of their business and billing practices.

For example, I purchased my own DOCSIS 3.0 cable modem some years ago when I first got their internet service. Some months in, I noticed that they were charging me for a cable modem rental. When I contacted them about this, they were insistent that I prove to them that I bought my own cable modem before they would refund the fees. I might recall this incorrectly, but I believe they had requested that I fax my proof of purchase to a number as they did not have an email address setup for such things.

After that, it was smooth sailing until they charged me full freight for the service and refused to honor the deal they had agreed to. At the end, we put some reasonable deal in place for internet service for some years.

Two years ago, my wife and I bought a house and transferred our service there. As part of that, Comcast has an automatic contact renewal program on their website. I agreed to an additional two years at the rate I was paying – and after a month or two, my bill went up dramatically. Apparently I had exposed some glitch in their system which signed contracts on their behalf that they had no intention to honor. After weeks of wasted time, I ended up giving in and accepting crappier service for more money since I didn’t have any other option. Looking back, I should have filed a complaint with the Massachusetts Attorney General.

Finally, in November 2020 Comcast announced both a 1.2TB data caps and a rate hike. Coincidentally, our data usage somehow jumped up 20% the month after they announced the data cap enforcement. I hadn’t been keeping track of our data usage on our router at that time, so I can’t rule out that our usage did actually increase - but the timing is suspicious.

Figure 1: Comcast Data Usage

Although Comcast did backpedal on the data cap enforcement, this has led me to seek other options in earnest. In our city, you have two choices for “broadband”: Verizon’s DSL and Comcast. In today’s age, with the Website Obesity Crisis in full swing 1.5Mbps is not going to cut it for a multi-user household. There are some companies who service larger buildings like NetBlazr and Starry, but they’re not interested in working with single family homes.

Last December, I saw some news on Reddit about a new home ISP service from T-Mobile. They were targeting speeds of 50Mbps / 50Mbps upload and download without data caps for $50 / mo inclusive of taxes, fees and including the equipment. Our Comcast plan included ~100Mbps download with a paltry 5-7Mbps upload for over $100/mo. The Comcast plan included a cable package which is rarely used, but the bundle was cheaper than the standalone service.

In January, we decided to give the T-Mobile service a try. Although their eligibility webform said our address wasn’t eligible, the customer service agents said that we were.

Solution

The Nokia “trash can” looks like an extremely powerful device, but it’s crippled by locked down software. There aren’t many knobs that you can turn on the device – perfect for my parents, but not great for someone who already has a network setup. In my use, I found there were a few issues:

No bridge mode, so it’s not exactly a 1:1 replacement for the cable modem. The Nokia device pulls down the IP address from T-Mobile. Using your own router connected to the Nokia router means you’re dealing with a double-NAT setup.
The T-Mobile DNS servers are a bit flaky. Configuring my device to use another DNS server improved this by quite a bit.
The Bufferbloat is pretty bad. When the connection starts to get saturated, the ping times grow substantially.
No ability to setup isolated networks for untrusted devices.
The 5G connection seems to have flaked out over time.

Setup

Network Overview

I already have a reasonably well setup home network using an OpenWRT Based Turris Omnia Router, with separate IP ranges and WiFI networks for trusted devices, guests and untrusted IoT devices. I also have a nice UniFi Access point which covers my entire home quite well. Due to this I decided to accept the potential headache from double-NAT and put the router behind the T-Mobile device.

T-Mobile doesn’t have enough IPv4 addresses available for all of its customers, so they run an IPv6-first network and use Carrier Grade NAT (CGNAT) to allow multiple users to share a single IPv4 address. This comes with a performance hit. Fortunately IPv6-enabled websites are becoming more and more common. As such, it is desirable for the devices on my network to be able to have a real IPv6 address.

I don’t pretend to understand IPv6 address allocation perfectly. There are multiple ways in which your device can get an IP address. XFinity supported “prefix delegation” which tells your router that it can feel free to hand out addresses in a given range to all of the devices connected to it using a DHCPv6 server. Unfortunately, the T-Mobile router doesn’t allow delegation to your router. Fortunately OpenWRT supports a “relay” mode for IPv6 address allocation. In order to enable this, a few settings need to be changed from the default settings:

OpenWRT / Omnia Configuration

I had to make some configuration changes to the OpenWRT-based Turris Omnia in order to improve the performance.

IPV6 Relay

When I plugged the WAN port of the Turris Omnia into the LAN port on the Nokia router, the Omnia pulled down an IPv4 and IPv6 address. The Omnia proceeded to hand out private 192.168.1.0/24 IPv4 addresses to the clients connected to it, but did not assign any IPv6 addresses to the clients.

The /r/tmobileisp subreddit has some good advice on occasion. I ran into a comment from a user which provided some ideas on how to work around this. The following code blocks show the LAN and WAN6 blocks of my /etc/config/dhcp file.

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option ra_management '1'
        list dhcp_option '6,192.168.1.1'

Code Snippet 1: /etc/config/dhcp WAN settings

config dhcp 'wan6'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'
        option interface 'wan6'
        option start '100'
        option leasetime '12h'
        option limit '150'

Code Snippet 2: /etc/config/dhcp WAN6 settings

After making these changes, the devices on my network were all able to pull IPv6 addresses down. I believe that they’re assigned by the Nokia gateway.

DNS Settings

The T-Mobile DNS servers are a source of many complaints on Reddit. It seems that they can be a bit overloaded at times. Due to this, I wanted to configure my router The Turris Omnia uses a non-standard DNS resolver called Knot. It’s written by the same folks who built the Omnia. Most OpenWRT devices seem to use DNSmasq, so most of the documentation online is based around this.

In the “Foris” simplified management interface on the Omnia, you can select the DNS server you would like your router to use.

I chose to use the Cloudflare DNS servers due to their reasonable privacy policy. Their IPv4 endpoints are 1.1.1.1 and 1.0.0.1. In addition, they provide IPv6 endpoints at 2606:4700:4700::1111 and 2606:4700:4700::1001. They also have end points which provide adult content and malware filtering.

I believe that I had to add in the IPv6 endpoints into the following file:

name="99_cloudflare.conf"
description="Cloudflare (TLS)"-0t5f4rdas9T4rewq
enable_tls="1"
port="853"
ipv4="1.1.1.1 1.0.0.1"
ipv6="2606:4700:4700::1111 2606:4700:4700::1001"

ca_file="/etc/ssl/certs/ca-certificates.crt"
hostname="cloudflare-dns.com"

Code Snippet 3: /etc/resolver/dns_servers/99_cloudflare.conf

BufferBloat

Bufferbloat is a condition where the latency of a network connection increases dramatically under load. This can make applications which are time sensitive like video and voice chat malfunction when the network connection is loaded.

The Nokia router does not seem to have any mitigations in place for this, so I enabled Smart Queue Management (SQM) on the Omnia. In general, this trades off a bit of maximum throughput for more consistent latency performance.

I’m using the CAKE queueing algorithm, as described in this article on the OpenWRT website. This did make a notable improvement in the bufferbloat performace.

External Access

Unfortunately, the T-Mobile service does not provide a publicly routable address which means that remotely accessing local resources is a challenge. There are online services which can mitigate this. One option would have been to connect router to a server with a public IP address and use that host as a means of connecting to local servers. There are some other commercial solutions. I settled on one called Tailscale at the recommendation of tptacek on Hacker News. So far it works well on all of my devices. Occasionally I will need to open the app on my iOS devices to reconnect, but that’s all.

Concerns

Although T-Mobile has been reasonable enough to work with commercially, they have had a history of concerning privacy practices. In 2018, they were caught selling location data to data brokers who then resold to a number of unsavory parties including bounty hunters. Supposedly this practice has stopped, but they have not ever responded to my requests to confirm whom my location data was shared with.

In addition, they have recently launched an ad platform which leverages your browsing history to target ads. There is an opt-out which I suggest everyone take advantage of, but you shouldn’t need to opt-out to this kind of nonsense. It should simply be illegal.

With all of my complaints about Comcast, they were definitely better on this front. Depending on how things evolve with T-Mobile, this might end up being a reason to switch back.

Conclusion

We’ve been running the service for approximately a month, and it’s been fine. Good enough that we canceled our Comcast service. For whatever reason, we only pull a 5G signal sporadically so most of our data are transferring over LTE. Despite that, we get approximately 50Mpbs down / 50Mbps up rather consistently when connected directly to the Nokia “trash can” either via Wifi or plugged in. On the occasions when the device pulls a 5G connection, the download speed increases to around 200Mbps.

I’m looking forward to seeing what T-Mobile brings us with future network and software upgrades. I’m hoping that they will make positive steps to address the privacy considerations.

I think that our long term relationship with T-Mobile may hinge on their improving their privacy practices. Hopefully they will come to the light and start to protect customer data better.

Setting up a UPS for a home lab

Sat, 23 Jan 2021 00:00:00 +0000

After a recent power outage at our house, I purchased a UPS to help keep the internet online the next time. In addition, we noticed that when there was an outage the power tended to come on and off multiple times before stabilizing.

I’ve been trying to buy products from brick and mortar stores rather than Amazon due to the prevalence of counterfeit products mixed in with legitimate goods. In our area, Microcenter tends to be a decent option for computer and maker related items. They offer a price match which removes the downside of purchasing in-person.

I ended up purchasing a Cyberpower LE1000DG UPS. There were other options, but this one seemed reasonable enough. When I got it home, I discovered that there was a USB port on it. This port allows a computer to monitor the status of the UPS. I thought this was pretty neat, as it would allow me to automatically cleanly power down devices selectively depending on how long the outage lasts for.

The router we use at home is a Turris Omnia. CZ.NIC, a Czech ISP created the device for use as the digital center for homes. The device has a moderately fast CPU, generous RAM and eMMC memory and allows the use of an m-SATA SSD to expand the storage available on the device. Having the high spec allows the router to share a few roles like running a Wireguard VPN, an OpenVPN VPN, print server, or NextCloud server. It even has the capability to run Linux Containers using LXD.

The software on the devices is OpenWRT based which means there is a lot of packaged software available. One of the packages available is the Network UPS Tools (NUT) package. This package consists of two parts:

nut_server - a daemon which connects to the UPS hardware.
nut_monitor - a daemon which periodically communicates with the nut_server to get the status of the hardware.

Software installation

Fortunately, OpenWRT packages the NUT software and provides a nice wiki page. I find using the command line interface more convenient than using the LuCi web interface to install and configure packages.

> opkg update

> opkg install nut nut-common nut-upsmon nut-upscmd nut-server nut-driver-usbhid-ups

For space reasons, OpenWRT splits out the drivers from the NUT software. The driver / UPS pairings are on the NUT website. For the LE1000DG UPS, the correct driver is the USB-HID one.

After installing the software, we need to setup the configuration.

config driver_global 'driver_global'
        option user 'nut'

config driver 'ups'
        option driver 'usbhid-ups'
        option port 'auto'
        option pollinterval '15'

config user
        option username 'upsuser'
        option password '1337p455w0rd'
        option upsmon 'master'

config listen_address
        option port '3493'
        option address '192.168.1.1'

config upsd 'upsd'
        option maxage '15'
        option statepath '/var/run/nut'
        option maxconn '1024'
        option runas 'nut'

config upsmon 'upsmon'
        option hostsync '15'
        option deadtime '25'
        option notifycmd '/usr/sbin/sms.sh'
        option onlinemsg 'UPS %s on line power'
        option onbattmsg 'UPS %s on battery'
        option lowbattmsg 'UPS %s battery is low'
        option fsdmsg 'UPS %s: forced shutdown in progress'
        option commokmsg 'Communications with UPS %s established'
        option commbadmsg 'Communications with UPS %s lost'
        option shutdownmsg 'Auto logout and shutdown proceeding'
        option replbattmsg 'UPS %s battery needs to be replaced'
        option nocommmsg 'UPS %s is unavailable'
        option noparentmsg 'upsmon parent process died - shutdown impossible'
        option lowbattnotify 'EXEC+SYSLOG'
        option commoknotify 'EXEC+SYSLOG'
        option commbadnotify 'EXEC+SYSLOG'
        option shutdownnotify 'EXEC+SYSLOG'
        option nocommnotify 'EXEC+SYSLOG'
        option noparentnotify 'EXEC+SYSLOG'
        list onlinenotify 'EXEC'
        list onlinenotify 'SYSLOG'
        list onbattnotify 'EXEC'
        list onbattnotify 'SYSLOG'
        list fsdnotify 'EXEC'
        list fsdnotify 'SYSLOG'
        list replbattnotify 'EXEC'
        list replbattnotify 'SYSLOG'

config master
        option upsname 'ups'
        option port '3493'
        option powervalue '1'
        option username 'upsuser'
        option password '1337p455w0rd'
        option hostname '192.168.1.1'

In the upsmon configuration section, note the “notifycmd” line. This line calls a user defined program to do something when an event happens. In my case, I’m using Flowroute’s SMS API to send me a text when the power goes out and back on.

The SMS script uses curl with the access token and API jey to send a message passed in as an argument. The text of the message is from the “onlinemsg”, “onbatterymsg” and other similar lines.

#!/usr/bin/env bash
set -euo pipefail

ACCESS="API_ACCESS_TOKEN"
KEY="API_KEY"


curl https://api.flowroute.com/v2.1/messages \
-u $ACCESS:$KEY -X POST \
-H "Content-Type: application/json" \
-d "{\"to\":\"TONUMBER\"\",\"from\":\"FROMNUMBER\", \"body\":\"$1\"}"

Replace the API_ACCESS_TOKEN, API_KEY, FROMNUMBER and TONUMBER with the appropriate values for your environment. So far this has worked quite well for me!

Now that we have communication with the UPS and notifications sorted out, the next step is to configure other computers running on the UPS to power down safely when the power goes out. The threshold for each device should depend on how critical a service is.

On my network, I have a small fileserver that I’d like to shut down when the power goes off. This machine is running a recent LTS version of Ubuntu.

$ sudo apt install nut-client

This installs a client which can communicate with the nut server running on the router. The installed configuration file (/etc/nut/nut.conf) has a lot of comments in it, but the key line is the following:

MODE=netclient

The /etc/upsmon.conf file should include the following lines:

MONITOR ups@192.168.1.1 1 upsuser 1337p455w0rd slave

SHUTDOWNCMD "/sbin/shutdown -h +0"

The “slave” designation indicates that the system should power down when the UPS level is critical. You can call out a custom shutdown script to perform some actions prior to shutting down.

Final Thoughts

This setup has been running at my house for several months now, and worked as designed during a power outage. My file server shut itself down, preserving power for my cable modem, wireless access points and my router.

GE Profile Stove turning on by itself

Sat, 02 Jan 2021 10:30:00 -0500

Prior to moving in our house, we replaced the old coil burner stove with a nice fancy GE Profile Induction range - their PHS930SL2SS model. I grew up with a coil burner and don’t really want to relive the experience! Overall, we’ve been happy with the stove, but we’ve had several issues addressed under warranty - mostly minor.

Minor issues:

The convection fan’s nut came loose and it flew off while cooking - easy repair.
The temperature probe and jack required replacement after some usage - easy repair.

However, we have had one major issue with the stove – while using the oven, the induction burners on the left side will turn themselves on. When this happens, the burner controls for the misbehaving burners won’t work reliably. In order to turn the burners off you have to engage the “lock mode” on the stove, which has the unfortunate but understandable side effect of turning off the oven. This has happened many times over the past year - and has persisted even after a new control panel.

A video of the issue occurring:

Your browser does not support the video tag.

In the video, the burners pop on and off – but we’ve also had them turn on and set to a particular level. When this happens it’s difficult to turn them off unless you use the “panel lock”.

We have noticed that this state is most likely to occur when we’re cooking food which lets off moisture in the oven using convection mode - roasted potatoes are a frequent culprit. Often times there will be a lot of steam which comes out of the oven when you open it. There are ventilation holes on the left side of the stove directly above the oven opening. Our theory is that this hot moist air comes up through the ventilation holes and condenses on the backside of the control panel. The condensed water droplets can cause phantom touches on the capacitive touch screen.

We contacted GE about this and have filed a report with the Consumer Product Safety Commission since this is dangerous - if there is a pan on the stove, it could heat uncontrollably. Just before the holidays, GE Appliance (a division of Haier) Corporate reached out. I provided them with all of our findings. It will be interesting to see what they come back with in the New Year.

I’ll update this post as new information comes.

Update <2021-01-23 Sat>

GE Appliances got in touch with me a short while ago and they have replaced the stove with their latest production model free of charge. We haven’t had a chance to use it much yet - but it seems fine so far.

The most interesting part about it is that the new “Air Fryer” mode requires a WiFi connection. It’s not clear why this is, as there are no extra sensors or anything like that used. It worries me that they could shut off whatever service it’s using in the future and brick that feature.

I’ll try to put a more thorough review together sometime soon.

Chevy Volt Air Filter - The manual is wrong!

Sun, 18 Oct 2020 20:39:00 -0400

After our old Ford Fusion went for a swim in a rainstorm, we brought home a 2016 Chevy Volt. We’ve enjoyed driving the car over the past year. It’s a lot of fun to drive - and we really appreciate almost never needing to stop at a gas station. My wife likes the car as well.

We’re coming up on the 45,000mi service checkpoint. In general, electic vehicles don’t have much to maintain. At this checkpoint, GM suggests changing the engine air filter and the passenger cabin air filter.

The usual first step in changing the air filter was to check the user manual. According to the manual available from the Chevy website, the correct part number is an AC Delco Part A3148C.

When I searched all of the typical automotive supply companies - AutoZone, O’Reilly, RockAuto, they all showed a different part as the correct one. Digging into this further, I found this thread on an online Volt forum. It turns out the manual is incorrect. It seems that they never updated the manual when they released the Gen2 car in 2016. The correct part is AC Delco A3217C.

Model Year	Generation	Air Filter Part	Cabin Air Filter
2012	1	AC Delco A3148C	AC Delco CF185
2013	1	AC Delco A3148C	AC Delco CF185
2014	1	AC Delco A3148C	AC Delco CF185
2015	1	AC Delco A3148C	AC Delco CF185
2016	2	AC Delco A3217C	AC Delco CF185
2017	2	AC Delco A3217C	AC Delco CF185
2018	2	AC Delco A3217C	AC Delco CF185
2019	2	AC Delco A3217C	AC Delco CF185

Considering how few parts are actually replaced during maintenence on the Volt, I’m surprised they had the same misprint two years in a row! Moreover, this isn’t documented in any errata that I could find. Of course, GM will lean on the information in the manual to deny warranty coverage.

Hopefully this post will save some time for someone out there!

Happy New Year!

Mon, 31 Dec 2018 23:39:00 -0500

Happy New Year to All!

We have a lot to be thankful for this year - loving family, good job, etc. There’s an awful lot wrong with the world, but there’s an awful lot that’s improving also. [1]

I’m looking forward to doing my part to keep the ship afloat for another year!

[1] https://www.csmonitor.com/World/Progress-Watch **

Paypal cutting off VPN services

Sat, 06 Feb 2016 00:06:00 -0500

I saw recently that Paypal would start blocking VPN and SmartDNS services. Their rationale is that VPN services can be used for copyright infringement.

They are correct in that VPN services can be used for copyright infringement – they can be used to shield your IP address from others and to make it appear that your traffic is coming from some other location. However, this isn’t the only use of a VPN service. I use a VPN service to shield my traffic from being intercepted and modified by my local Internet providers.

As an example, several years back, I stayed in the Fairmont SFO for a work trip. The Fairmont is a beautiful hotel with very nice service. Unfortunately their WiFi service insists on injecting advertising frames into all of the non-SSL secured websites that you visit. I immediately signed up for a VPN service to protect against this.

Other providers have a history of similar behavior – see the VZW PermaCookie scandal from a few years back. I’ve also heard that AT&T’s broadband service is rolling out similar programs. From what I can tell, it seems that your local ISP should be treated as a potentially hostile actor.

Moreover if you’re using an open wireless access point, all your traffic is being transmitted in the clear. Everyone can see what you’re transmitting and what sites you are visiting. A VPN can also be used to protect against this.

My use of a VPN is to secure my Internet traffic from my local internet provider – either at my home or using the open WiFi at coffeeshops and hotels, not for copyright infringement.

I believe that PayPal is mistaken in this case – VPNs have substantial non-infringing uses and should not be shut down because some users use them to pirate TV shows.

Letter to the White House regarding cryptography.

Fri, 15 Jan 2016 00:00:00 -0500

Back in December, Ed Felten and the White House asked for public comment on the EFF’s pro-cryptography petition. This is the letter that I had sent. I urge you to file a comment.

Dr. Felten and President Obama,

I strongly urge you to support the unfettered deployment of strong encryption without compromise or backdoors.

The fact of the matter is that people have a right to be secure in their persons, papers and effects. The UN Declaration of Human Rights, to which the United States is a signatory specifies in Article 12 that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” In today’s world, strong encryption is a necessary component to prevent arbitrary interference with our privacy and communications – by both state and commercial actors.

At the end of the first Cryptowar in the late 1990s, we decided that the risk of not deploying strong encryption outweighed any potential of criminal usage. All the known ways of reducing the strength of encryption algorithms have one intractable problem – math has no way to only allow the “good guys” to decrypt communication without providing similar capability to the “bad guys” – repressive nations and criminals. None of these techniques work; smarter people than I have been saying this for many years – see the work by Bruce Schneier, Matthew Green, and even you Professor Felton. As you pointed out last March on the Freedom to Tinker blog, the FREAK attack shows that we’re still dealing with the fallout of the weakened cryptography of yesteryear. [1]

Even assuming that there was some way to design a system in which the state could retain access as needed, how does one determine who has access? Is it only for the Five Eyes or NATO nations? Or will the whole world have access? Despite NSA Director Rogers’ assurance that “we can work through this”, I’m not so sure.[2]

Silent Circle’s Jon Callas pointed out a flaw in this: “We said in public we would not tolerate bad people subscribing to our service,” he said. “We also know that what that really means is really kind of squishy. Let me give you an example: Let’s take the Dalai Lama. We supply communications services to the government of Tibet. Is the government of Tibet good guys or bad guys? We made the decision the Dalai Lama is a good guy, but if you ask the Chinese, they’re bad guys.” [3]

The United States should be leading the charge for private communications, not working to prevent this. Many politicians have invoked the image of the “Shining City on a Hill” as a proxy for American Exceptionalism. We should strive to live up to this dream – and not adopt the techniques of repressive nations for a purported short term gain. The Snowden documents have shone a light into a dark place. Let’s use this as an opportunity to live up to the best images of ourselves.

Thank you, Merry Christmas and Happy Holidays,

1: https://freedom-to-tinker.com/blog/felten/freak-attack-the-chickens-of-90s-crypto-restriction-come-home-to-roost/

2: https://www.washingtonpost.com/news/the-switch/wp/2015/02/23/heres-how-the-clash-between-the-nsa-director-and-a-senior-yahoo-executive-went-down/

3: http://www.csmonitor.com/World/Passcode/2015/1217/Tech-firms-push-back-on-reactionary-politics-following-terror-attacks

Vizio Privacy Policies

Sat, 21 Nov 2015 21:21:00 -0500

I recently came into possession of a nice new Vizio Smart TV. It’s pretty nice - 1080p, Netflix, etc. As part of the process for connecting the television to the internet, they made you agree to a number of different license agreements and privacy policies. In a fit of UX mastery, they did not show the privacy and license agreements on the television, instead instructing you to type a long URL into your web browser and reading the policies there. Nevertheless, they insisted upon your agreement before connecting to the Internet.

For fun, I decided to look up the privacy polices that I was agreeing to. There are some interesting bits there. The whole Vizio privacy can be found here.

VIZIO, Inc. and its affiliates (“VIZIO” or “we”) respect your privacy. Your privacy is a priority at VIZIO, and we take responsible measures to protect it.

Whew! I was really concerned that they didn’t care about my privacy!

This Privacy Policy also contains information on Smart Interactivity, a feature on Internet-connected televisions that recognizes onscreen content and may in the future permit you to interact with this content. You have the option in your television’s settings menu to disable this feature, which is set to “on” by default. As part of Smart Interactivity, VIZIO may collect and use anonymous viewing data associated with your television. VIZIO’s collection and use of this viewing data is described below in the Smart Interactivity Supplement to the Privacy Policy.

We turn on data gathering by default for your convenience!

By accessing and using VIZIO products and services, you agree to accept the terms and conditions of this Privacy Policy, and you consent to our use and disclosure of the information collected by us or submitted to us. You also acknowledge that you are aware that this policy may change over time. The effective date of this Privacy Policy is stated above.

We can change it whenever we want and if you don’t like it, you can’t use your television.

WHAT INFORMATION WE COLLECT Non-Personal or Anonymous Information. Non-Personal or Anonymous Information. We also collect data in a form that does not, on its own, permit direct association with any specific individual. We consider this Non-Personal or Anonymous Information. We may collect, use, transfer, and disclose Non-Personal Information for any purpose. Examples of Non-Personal Information we collect, use and share include the IP address you use to connect your Internet-connected products, your ZIP code, the online services you visit, as well as information about your VIZIO product such as MAC addresses, product model numbers, hardware and software versions, chipset IDs, and region and language settings. We also collect information about the products you request or purchase, the presence of other devices connected to your local network, and the number of users and frequency of use of VIZIO products and services. VIZIO also collects Anonymous Information regarding customer activities on our websites, on Internet-connected products and services, and on VIZIO’s Internet store.

We respect your privacy by collecting non-personal things like your IP address, location, as well as the online services (websites?) you visit! In addition, we portscan your network and send the information back to our servers. Do they also index the filex you have shared on your Samba server?

Cookies. VIZIO uses session and persistent “cookies” to collect information when you visit VIZIO’s website or online store, and uses pixel tags (also known as pixels or web beacons) to place and read these cookies. A cookie is a small data file that VIZIO transfers to your device and is stored locally on your device. Cookies are used by thousands of websites in order to enhance the website experience. When you visit VIZIO’s websites, we use cookies to identify your device so that you do not have to re-register each time you visit, and we use them to anonymously measure the traffic to our site and its different services and features. We also contract with third party service providers who use anonymous cookies to tag visitors to our online store and website. These cookies may be persistent, which means that they enable us to track and target the interests of our users to enhance the experience on our partners’ websites. Persistent cookies remain on your local storage for an extended period of time. If you have one of these persistent cookies, you may see advertisements for our products displayed on other publishers’ websites which you visit. Your browser contains features to help you manage cookies. You may remove or prevent placement of cookies by following the directions provided in your browser’s “help” file.

I guess this is fairly standard these days on websites. uBlock and Privacy Badger seem to do a reasonable enough job of filtering out ads on the Internet.

Viewing Data. As part of Smart Interactivity, VIZIO also collects specific information relating to your viewing of content on Internet-connected devices. This data is referred to as “Viewing Data.” This collection of Viewing Data is described under the “Smart Interactivity Supplement to the Privacy Policy“ below.

We watch what you watch. For your convenience.

Viewing Data. The use of Viewing Data, including Viewing Data combined with IP addresses or Non-Personal or Anonymous Information, is described under the “Smart Interactivity Supplement to the Privacy Policy” below.

We combine that non-identifying data with the content that you watch for some reason.

HOW WE PROTECT INFORMATION

Protective Measures. VIZIO has implemented systems designed to maintain the confidentiality of the Personal Information that it collects. VIZIO maintains internal practices designed to protect the security and confidentiality of this information by, among other things, limiting employee access to and use of this information. When you provide VIZIO with sensitive Personal Information such as credit card numbers over the Internet, we encrypt your transmissions using SSL (“Secure Sockets Layer”), and other industry standard security technology. While no one can guarantee the security of a website, Internet transmission, computer system or wireless connection, we do employ common safeguards intended to mitigate the risk of unauthorized access or disclosure of the Personal Information we store or handle. We keep such information on servers located in controlled facilities that are protected by firewalls and employ other technical measures designed to prevent intrusion or unauthorized access to our data centers. We maintain written policies and procedures for the protection of the Personal Information collected, stored, handled, or processed on our systems. For employees with access to Personal Information, we provide training to employees on privacy and data security.

We take security seriously! Just like Target.

HOW YOU CAN ACCESS OR REMOVE YOUR PERSONAL INFORMATION

If you desire access to view, correct or remove your own Personal Information, you may do so by emailing us at privacy@vizio.com or by calling 877-698-4946. If you request removal of Personal Information, you acknowledge that residual Personal Information may continue to reside in VIZIO’s records and archives, but VIZIO will not use that Personal Information going forward for commercial purposes. VIZIO reserves the right to maintain your Personal Information if VIZIO has suspended, limited, or terminated your access to the VIZIO website or VIZIO products and services for violating any applicable Terms of Use or the VIZIO Internet Apps Software License Agreement. This paragraph does not apply to VIZIO’s collection of Non-Personal or Anonymous Information.

I’ll try to call these guys one of these days and find out what data is associated with my account.

VIZIO.COM: DO NOT TRACK

VIZIO does not knowingly track Personal Information about visitors to VIZIO.com over different sites and over time, and it does not enable third parties to do so, regardless of whether VIZIO detects a do-not-track or similar signal from a visitor’s browser.

This is at least good!

SMART INTERACTIVITY – OVERVIEW

Smart Interactivity is a feature on Internet-connected VIZIO televisions that recognizes onscreen content. Currently, we only use this feature to gather data on a non-personal or anonymous basis, as described below. You have the option to turn this feature off at any time directly from the menu of your television.

However, in understanding this feature of your VIZIO television (and your option to disable this feature), we also want you to know that VIZIO is developing technologies that will permit you to interact with content in a variety of ways. These interactions may include voting in polls, accessing bonus content, and viewing advertisements that match your interests, based upon your viewing behaviors. Only some of these features (outlined below) are currently deployed, however. This Privacy Policy may therefore be modified from time to time as new features and functionality become available.

I am very glad that they’re willing to permit me to view advertisments based on my viewing behavior!! I’ve turned this feature off.

WHAT VIEWING DATA WE COLLECT

For VIZIO televisions that have Smart Interactivity enabled, VIZIO will collect data related to publicly available content displayed on your television, such as the identity of your broadcast, cable, or satellite television provider, and the television programs and commercials viewed (including time, date, channel, and whether you view them live or at a later time). This data is referred to as “Viewing Data.” The Viewing Data collected by VIZIO is anonymous and does not contain Personal Information. VIZIO does not collect Viewing Data from televisions located outside the United States.

We track who your provider is, what you watch and when you watch it. And we totally don’t combine it with all that non-identifying information that we talked about earlier!

Except where prohibited by law or policy, the Smart Interactivity feature is turned on by default. However, at any time you may turn off Smart Interactivity (and the associated collection of Viewing Data) from the menu of your VIZIO television. Turning Smart Interactivity off will not affect the performance of your VIZIO television or any online services. For specific instructions on how to turn Smart Interactivity off or on, see the text below under the heading “How to

For your convenience, you’ve been opted into the fun!

HOW WE USE THE VIEWING DATA WE COLLECT

VIZIO currently uses the Viewing Data collected from Smart Interactivity for the following purposes:

Beginning October 31, 2015, VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements. These advertisements may be delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV. VIZIO combines the Viewing Data with IP address and other Non-Personal Information as well as other non-personal information (such as demographic information) it obtains from third parties in order to enhance, model and further analyze the Viewing Data. VIZIO shares the Viewing Data with media and data analytics companies as described below under the heading “How We Share the Viewing Data.” VIZIO does not combine or associate the Viewing Data with Personal Information.

We will figure out what phones and other computers that you’re using on the same network and combine that with a bunch of data we get from our “partners”. We then sell that bundle to ad networks who have been tracking your device location and they use that information to sell you stuff! Remember all that they collect is non-identifying, but those ad networks sure as heck know who you are.

HOW WE SHARE THE VIEWING DATA

VIZIO shares the Viewing Data in the aggregate with media and data analytics companies who have a business need to analyze television viewing behaviors in the aggregate. This analysis permits these companies to make, for example, better-informed decisions regarding content production, programming and advertising. VIZIO minimizes the sharing of Non-Personal device identifiers such as IP addresses. In most cases VIZIO hashes and replaces these identifiers before sharing them with our media and analytics partners. When VIZIO shares IP addresses with third parties, VIZIO imposes strict conditions of confidentiality and use on such third parties.

I’ll just leave this here. TL;DR, it’s not hard to deanonymize data.

We also share Viewing Data to facilitate the display of tailored advertisements on other devices. As of October 31, 2015, VIZIO will share Viewing Data, together with the IP address associated with the corresponding VIZIO television, with limited third parties with whom we have specifically partnered. These third parties may combine this information with other information about devices associated with that IP address, in order to customize the advertisements displayed on those other devices.

Your Netflix habits will follow you around. Watching too much Aqua Teen Hunger force? Prepare for Cheetos advertisements.

You always have the option to turn off the collection of Viewing Data in your television’s settings menu. However, for a period of time you may continue to see tailored ads on other devices that were targeted on the basis of Viewing Data that was shared before you turned off collection.

It’s going to be hard to verify if they’re not collecting this information anyway and uploading it to the server.

HOW WE PROTECT THE VIEWING DATA

VIZIO first protects the Viewing Data by not combining or associating the Viewing Data with Personal Information, even if VIZIO has collected Personal Information from other sources, such as an online purchase, account creation, or product registration. VIZIO also protects the Viewing Data according to the same standards that it uses to protect Personal Information and Non-Personal Information as described above, including by requiring the third parties who analyze or use the Viewing Data to employ reasonable security measures.

Even though the Viewing Data does not contain Personal Information, VIZIO encrypts the Viewing Data before transmission over the Internet.

Both of these are good things for sure! Unfortunately, as we’ve seen in many other cases “anonymous” information is fairly easy to deanonymize – especially when you can correlate the IP addresses with other data sources.

Summary

If I continue to use the “smart” features of this television, I will have to setup some firewall rules so that it can’t see anything else on my network. Currently it’s connected to an open access point and only has access to the Internet and no ability to see other devices on the network.

Since I started writing this, ProPublica has taken notice of the lousy privacy policy. I recommend reading their analysis of Vizio’s SmartTV program.

Notmuch of mail a setup Part 2 - notmuch and Emacs

Sat, 21 Nov 2015 00:00:00 -0500

In my previous post on this topic, I tried to detail the way that I fetch and send email using my laptop using a combination of mbsync and systemd. This has been working extremely well – it runs in the background and does the right thing when I am connected to the Internet. The only issue with this setup is that I’ll occasionally need to clear a lockfile out of the .msmtp-queue directory. This is quite rare, however.

The nicest thing about using a Maildir to store your mail is that you can act on the mail using a variety of different programs – some folks prefer using Mutt to read their mail, others prefer something else. Most popular mail software on Linux seems to support storing things in Maildirs – with the apparent exception of Thunderbird.

One of the killer features of Gmail when it came out was the ability to quickly search through your email and to automatically tag it in different ways. This was one of the things that I missed moving my email to a local client – Thunderbird didn’t particularly care for searching through my 25GB mail archive. Enter Notmuch.

Notmuch is a small piece of software that wraps around the Xapian search library to index and search through a large amount of data quite easily. The name comes from the fact that the software doesn’t fetch your mail, send your mail or even really index your mail – i.e. it doesn’t do much.

Notmuch really does a few things:

Indexes your mail using Xapian
Associates your mail with different tags – similar to Gmail. The tags are stored in the database.
Help search through Xapian efficiently.

It doesn’t:

Get the mail.
Write the mail.
Send the mail.

That’s about it. It relies on other programs in order to actually do anything with the mail.

One important thing to note is that everything in Notmuch is a tag. The actual folder structure of your emails doesn’t really matter – all that matters are the tags in the headers.

Getting setup with Notmuch

First things first – pull your email onto your local device. I describe a working setup here. This setup includes both pulling email off of the server and sending email through your SMTP server.

Next, you will want to install notmuch and GNU Emacs. I installed both from my Linux distribution’s package manager. You will also want to install a second script called afew. Afew is a set of python scripts that assist in tagging your email. I installed afew to my ~/.local/bin directory.

You should setup the notmuch configuration file next. You can do this by using the command notmuch. This will walk you through a few configuration steps where you need to identify your own email addresses. I added all of the addresses that I’ve ever used since I tend to store lots of email.

After running the configuration wizard, you will want to edit the [new] mail configuration so that it reads:

.notmuch-config

# Configuration for "notmuch new"
#
# The following options are supported here:
#
#   tags    A list (separated by ';') of the tags that will be
#       added to all messages incorporated by "notmuch new".
#
#   ignore  A list (separated by ';') of file and directory names
#       that will not be searched for messages by "notmuch new".
#
# NOTE: *Every* file/directory that goes by one of those
# names will be ignored, independent of its depth/location
# in the mail store.


[new]
tags=new;
ignore=Trash

This configures the notmuch new command to read in and index all the mail and apply the new tag to it. We’re using this tag to let afew know what messages it needs to operate on.

Next, you want to configure afew. I’m using the following configuration file:

~/.config/afew/config

#default filter chain
[SpamFilter]
[KillThreadsFilter]
[ListMailsFilter]
[SentMailsFilter]
sent_tag = sent
[ArchiveSentMailsFilter]


[Filter.1]
message = "Facebook"
query = 'from:facebookmail.com'
tags = +facebook;+unread;-new

[Filter.2]
message = "Spam"
query = 'from:"Global Who\'sWho" OR from:Touchfire OR from:Walk-inTub OR from:"Replacement Window"'
tags = +spam;-new

[Filter.3]
message = "Get mailing lists out"
query = 'tag:lists'
tags =  +unread;-new;

[Filter.4]
message = "Get mailing lists out"
query = 'to:geda-user@delorie.com'
tags =  +lists/geda-user;-new;-inbox;


[InboxFilter]

Stepping through the file:

SpamFilter - This filter looks throught the email headers for the header X-Spam-Flag which should be set by SpamAssasian or something similar running on your email host. This tags the message as spam – hiding it from your searches.
KillThreadsFilter - Kill new messages to previously killed threads. Good for the ReplyAll chains from your Uncle about Obama.
ListMailsFilter - Look through the new messages and add a the name of the list as a tag. Remove the item from your inbox. This is helpful for high volume mailing lists so you can only check them when you want to. This filter uses the ListID: header in the email. I have noticed that a large number of commericial mailing lists are using the ListID header to track their campaigns. This is a bit annoying and I haven’t found a good way to fix it yet.
SentMailsFilter - Tag all the email that I’ve sent to others. This uses the From: header.
ArchiveSentMailsFilter - removes the inbox tag from sent email.
[Filter.1] - tag emails from facebook and remove them from the inbox.
[Filter.2] - filter out some common spam that I receive. Our spam detection isn’t working too well on my email host.
[Filter.3] - remove all mailing list messages from the inbox.
[Filter.4] - one mailing list that I subscribe to doesn’t set the ListID header used by the ListMailsFilter. It uses “X-Mailing-List” instead. It was faster to just detect these and remove them from the mailbox than it was to do anything else.

The one thing lacking in the current setup is a way to move emails from the Inbox to subfolders. Afew has a MailMover function, but I haven’t been able it to get it working well. This is necessary to move unwanted items to the trash. I’ve been using mutt periodically to move older items into an archive folder and to the trash.

Get the mail and index it.

Now that we have notmuch and afew to index and tag the email, it’s time to automate the process. In the previous installment, we wrote a small shell script to check the internet connection state, send queued email and pull down new email. Let’s extend it to handle some new commands!

~/.local/bin/checkmail.sh

#!/bin/sh

STATE=`nmcli networking connectivity`

if [ $STATE = 'full' ]
then
    ~/.local/bin/msmtp-runqueue.sh
    mbsync nnytech
    notmuch new
    ~/.local/bin/afew -tn
    notmuch tag -inbox tag:inbox AND tag:lists
    exit 0

fi
echo "No Internets!"
exit 0

This script adds in some new commands to index new mail and to run afew to tag the mail. In addition, we run notmuch again to remove all mailing lists from the Inbox as they’re almost always not urgent.

Now, how do we read our email again?

After spending all this time getting our email downloaded, indexed and tagged we probably want to read our email. I’ve been using GNU Emacs a lot lately and had read about the Notmuch Emacs client. The neat thing about Notmuch is that it’s independent of the frontend that you read your mail with. There are setups that work well with Mutt and even Vim as well as a number of other clients.

I installed the latest version of the Notmuch frontend from the MELPA Emacs package archive. Getting starting with MELPA is described here.

Some .emacs.d/init.el-fu is required to get things working.

.emacs.d

:::lisp

;Load up Notmuch
(require 'notmuch)


; Setup some keybindings


; C-c m opens up Notmuch from any buffer
(global-set-key (kbd "C-c m") `notmuch)

;Setup Names and Directories
(setq user-mail-address "myemail@mydomain.tld"
  user-full-name "My Totally Real Name")

; stores postponed messages to the specified directory
(setq message-directory "MailLocation/Drafts") ;

;set sent mail directory
(setq notmuch-fcc-dirs "MailLocation/Sent")

;Settings for main screen
(setq notmuch-hello-hide-tags (quote ("killed")))

;A few commonly used saved searches.
(setq notmuch-saved-searches
(quote
((:name "inbox" :query "tag:inbox AND -tag:work" :key "i" :sort-order oldest-first)
 (:name "flagged" :query "tag:flagged" :key "f") ;flagged messages
 (:name "sent" :query "tag:sent -tag:work" :key "t" :sort-order newest-first)
 (:name "drafts" :query "tag:draft" :key "d")
 (:name "mailinglist" :query "tag:lists/mailinglistID" :key "c")
 (:name "all mail" :query "*" :key "a" :sort-order newest-first))))


;Message composition and sending settings

;Setup User-Agent header
(setq mail-user-agent 'message-user-agent)

(setq message-kill-buffer-on-exit t) ; kill buffer after sending mail)
(setq mail-specify-envelope-from t) ; Settings to work with msmtp

(setq send-mail-function (quote sendmail-send-it))
(setq sendmail-program "~/.local/bin/msmtp-enqueue.sh"
  mail-specify-envelope-from t
;; needed for debians message.el cf. README.Debian.gz
 message-sendmail-f-is-evil nil
  mail-envelope-from 'header
  message-sendmail-envelope-from 'header)

;Reading mail settings:

(define-key notmuch-show-mode-map "S"
    (lambda ()
    "mark message as spam"
    (interactive)
(notmuch-show-tag (list "+spam" "-inbox"))))

(define-key notmuch-search-mode-map "S"
(lambda ()
    "mark message as spam"
    (interactive)
    (notmuch-search-tag (list "-inbox" "+spam"))
    (next-line) ))

(setq notmuch-crypto-process-mime t) ; Automatically check signatures


;Crypto Settings
(add-hook 'message-setup-hook 'mml-secure-sign-pgpmime)

(setq epg-gpg-program "/usr/bin/gpg2")

;There was some problem with listing PGP keys in the Debian
;version of EPG. This magic from StackOverflow seems to resolve it.
(defun epg--list-keys-1 (context name mode)
(let ((args (append (if (epg-context-home-directory context)
          (list "--homedir"
            (epg-context-home-directory context)))
          '("--with-colons" "--no-greeting" "--batch"
        "--with-fingerprint" "--with-fingerprint")
          (unless (eq (epg-context-protocol context) 'CMS)
        '("--fixed-list-mode"))))
(list-keys-option (if (memq mode '(t secret))
              "--list-secret-keys"
            (if (memq mode '(nil public))
            "--list-keys"
              "--list-sigs")))
(coding-system-for-read 'binary)
keys string field index)
(if name
(progn
  (unless (listp name)
    (setq name (list name)))
  (while name
    (setq args (append args (list list-keys-option (car name)))
      name (cdr name))))
  (setq args (append args (list list-keys-option))))
(with-temp-buffer
  (apply #'call-process
     (epg-context-program context)
     nil (list t nil) nil args)
  (goto-char (point-min))
  (while (re-search-forward "^[a-z][a-z][a-z]:.*" nil t)
(setq keys (cons (make-vector 15 nil) keys)
      string (match-string 0)
      index 0
      field 0)
(while (and (< field (length (car keys)))
        (eq index
        (string-match "\\([^:]+\\)?:" string index)))
  (setq index (match-end 0))
  (aset (car keys) field (match-string 1 string))
  (setq field (1+ field))))
  (nreverse keys))))

How to use it?

Load up emacs, press C-c m and you’re off and running.

Next steps:

I’m still working on refining the setup. My next steps should include:

Org-mode Capture integration
Getting afew to actually move email out of my inbox.

Feedback

If you have any feedback, please send me an email!

New SSL Certificate

Tue, 03 Nov 2015 21:21:00 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

My SSL certificate expired on 11/1. I replaced it with a new
certificate today. The SHA256 fingerprint of the new certificate is:

27:88:83:BF:22:D3:55:62:1C:2D:26:B2:8B:C9:AD:32:E3:C2:A6:BD:B7:C8:41:53:F9:38:D8:C6:AA:63:88:B1

This is going to expire in February 2016. I will likely replace it
with one from [Let's Encrypt](https://www.letsencrypt.org) by then.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJWOUgKAAoJEKtJwDCg2HMhXj0H/icGRxNn7cnlFUlEZ4Y5hujc
LlBOigcCT/A7HVmTSYq++7icj2J/XOw/CL2wVNok1oMe4KVT6VmLH3rs68BSzusB
arGSFAz4Lu1MPPmBlmp2L3l2Gc8eWPzvfDS9S1pD0tO63ISVGAzj0rMwtMlogPV2
ePd/lOIuICU8tUpWxNRt8LLrsOfMNYzuTV+5a6NVQS8OUpck/k3x6cYCpujXhXi3
APTT2o7s0VbvZP60iHZfMNzg6dQHEuywhmwmQuyyAy5LbefLyd+M8lN+4b/yzfw5
XVUIHx1Y/k5h5x9IFP//o6Y4fCRgMs0xhIAGWo0JZrwd8aQijjQx22qy+jBvfdg=
=WjLO
-----END PGP SIGNATURE-----

Getting Rid of Comments

Sun, 11 Oct 2015 21:21:00 -0400

I’m disabling comments on this blog as of today. I’ve only received a small handful of comments in the year or so that this has been up – certainly not enough to justify the user needing to download over 1 megabyte of javascript from Disqus when they load the page.

Feel free to email me - john at johnbyrnes.info if you have any comment.

Getting the T-Mobile Jet (Huawei 366) USB Modem to work in Linux

Mon, 21 Sep 2015 21:21:00 -0400

I recently purchased a cheap T-mobile broadband USB stick for use with my Debian Linux laptop. The device is the T-Mobile Jet 2.0 – a rebranded Huawei UMG366.

After putting the SIM card in, I noticed that NetworkManager was unable to see the card. Some DuckDuckGo-ing led me to this Linux Mint forum post.

Apparently these sticks show up as a USB hard drive when you plug them in. This lets them include the drivers with the stick. Ejecting the drive activates the internet connection. You can use a piece of software called usb\\_modeswitch to change the device mode.

The last post in the aforementioned thread has basically the correct step to take in order to get the device to work properly. Instead of editing the system udev rule file, I added a new rule into /etc/udev/rules.d/41-huawei.rules.

# Huawei E366 (T-mobile Wind)
ATTRS{idVendor}=="12d1", ATTRS{idProduct}=="1446", RUN+="usb_modeswitch '%b/%k'"

Speed tests were as follows using speedtest-cli from the Debian repository:

Testing from T-Mobile USA (172.56.36.162)...
Selecting best server based on latency...
Hosted by Atlantic Metro (New York City, NY) [6.18 km]: 144.517 ms
Testing download speed........................................
Download: 3.92 Mbits/s
Testing upload speed..................................................
Upload: 0.91 Mbits/s

This is a about 2x faster than Bluetooth tethering to my LTE phone. The download speed from the Ookla app on my smartphone was about 6Mbits/s. The HSPA+ speed from the dongle is perfectly acceptable.

Internets on a Plane! (and service blocking)

Sun, 16 Aug 2015 23:53:00 -0400

I fly UA quite often and regularly get internet on my flights. The speed and connection quality is quite acceptable considering that we’re traveling through the air and talking through some satellites. The rate is also quite reasonable - $1.99/hr for the slow lane and $3.99/hr for the fast lane.

However, on my last two trips, the following things have been blocked:

VPN access - I typically use a VPN when I travel to protect my wifi traffic. As the access points are unencrypted, I prefer to encrypt and route my traffic through a trusted host. It seems that they’re blocking most of the gateways for my VPN provider.
web.skype.com — Although I understand that you can’t really support VOIP, text chatting over the Skype web interface should be perfectly acceptable. I’d like to avoid installing Skype on my nice Linux laptop.
XMPP blocked - again, text chatting should be acceptable. TCP to ports 5222 and 5223 are blocked.
UDP to ports 60000+ is blocked. This means that I’m unable to use MOSH to connect to my home servers. I often chat through IRSSI + Bitlbee running on a server in my house.

I verified that in each case, the service I was trying to connect to was up.

Finally, I noticed that the feedback form was not protected by SSL. This should be the default on every website these days.

Overall the service gets a solid B. I was eventually able to find a VPN host not on the block list and was then able to access all of the necessary services.

GnuPG key update

Sat, 21 Feb 2015 21:21:00 -0500

Notmuch of a mail setup Part 1- mbsync, msmtp and systemd

Fri, 16 Jan 2015 21:21:00 -0500

Overview

Some months back, I discovered the Notmuch mail reader. It’s a pretty sweet piece of software based on Xapian to index and tag your mail. As of today, the email setup described here has displaced my Google Apps hosted Gmail for my personal domain. My goal here is to document how I’ve setup my mail workflow.

As it says in the name, Notmuch is not much of a mail client. It doesn’t get any mail, send any mail, or even display any mail. All it does is to provide an interface to a Xapian index for your mail. We need to provide other software that will help us handle the other pieces.

On one of my computers I’m using Arch Linux. I’ve tried just about every Linux distribution in the past fourteen years and have found Arch to be a pretty good sweet spot for a workstation. The distro has stabilized in recent years and a system upgrade seems to be less likely to completely bork your computer. I prefer debian stable on the server since it’s so well tested. The instructions here might be a bit Arch-Centric. I’m going to discuss sending and receiving mail before discussing how to configure Notmuch. Sending and receiving mail are critical for just about every GNU/Linux mail client and most of this should be generally applicable.

Getting the mail

My mail lives on an IMAP server somewhere in cloud-land. I’ve had an account on this machine for several years, but I’ve recently forwarded all of the mail for my domains to this server. There are several good IMAP clients these days that will synchronize the mail from your local computer with your mail on the IMAP server.

Among the ones that I’ve tried in the past are:

My mail setup requires the use of STARTTLS, so Getmail and OfflineIMAP are out of the question. They both support STARTTLS, but they’re using a Python library that doesn’t perform any verification of the certificate. This leaves me open to a MITM attack where someone upstream can present a fake certificate and proxy my traffic. I ended up using MBSync to fetch my mail from the server.

The documentation for MBSync is pretty terse, but there’s a nice page at the ArchLinux wiki.. I’ve included a configuration file that works for my needs.

 =~/.mbsyncrc= ##

# Address to connect to
Host mail.servername.info
Port 143
User BostonEnginerd
PassCmd "gnome-keyring-query get servername\\_mail"
SSLType starttls
SSLVersions TLSv1.2
SystemCertificates no # The following line should work. If get
certificate errors, uncomment the two following lines and read the
"Troubleshooting" section.


CertificateFile ~/.cert/mail.servername.pem


IMAPStore servername-remote
Account servername

MaildirStore servername-local
# The trailing "/" is important
Path ~/.mail/servername/
Inbox ~/.mail/servernamw/Inbox

Channel servername
Master :servername-remote:
Slave :servername-local:
Patterns *
# Automatically create missing mailboxes, both locally and on the server
Create Both
# Save the synchronization state files in the relevant directory
SyncState *

You will need to get the ssl certificate from your server. If it’s a “real” SSL certificate signed by a CA, including the CA certificate should be sufficient. If it’s self-signed, it’s easiest to get the certificate from the server and save it to a file. The commandline openssl command can do that for you:

openssl s_client -starttls imap -connect some.imap.server:port -showcerts

I just copied and pasted from the ——-BEGIN CERTIFICATE—– to the END CERTIFICATE line into a file and referred to that in the configuration.

I’m using the gnome-keyring-daemon to store the mail password so it’s not sitting on my hard disk in plaintext. There’s a program in the AUR called gnome-keyring-query which allows you to interact with the keyring on the command line. The get command gets the requested key. There is a set command as well for storing a password. One of these days, I might try to setup something that uses a certificate to authenticate the client.

Sending the Mail

The second most important thing that a mail client can do is send mail. I’m using the SMTP server on my host, again using STARTTLS. To send the mail, I decided to use a program called msmtp which implements a small send-only smtp client. The ArchLinux wiki has a nice tutorial on using this also.

After installing msmtp, you need to configure it. A working config file is below:

`~/.msmtprc`

# Set default values for all following accounts.
defaults
tls on
tls_starttls on
tls_fingerprint AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:
logfile ~/.msmtp.log

# A freemail service
account myserver
host my.server.tld
port 9000

from bostonenginerd@myserver
auth on
user myname
passwordeval gnome-keyring-query get myserver.smtp

# A second mail address at the same freemail service
account myotheraccountname : myserver
from myname@myotherdomain

# Set a default account
account default : myserver

I get the TLS fingerprint from the server using the openssl s_client. Again, I’m using the gnome-keyring to store the passwords encrypted on the disk.

Once msmtp is working you can send mail when your computer is online.

A nice feature would be to queue messages when the network connection is down and send them when you come back online. Fortunately recent versions of msmtp come with a queue management script. On Arch, there are two included. I’m using the one called msmtpqueue which includes three scripts - msmtp-enqueue.sh, msmtp-listqueue.sh and msmtp-runqueue.sh. These scripts pretty much do what they say. Copy them to somewhere in your path.

Using the scripts requires that you have a directory called ~/.msmtpqueue. The email will be stored in this directory when you use the msmtp-enqueue.sh command in your mail client. To send all the mail, you can use the msmtp-runqueue.sh script when you’re connected to the internet. In the past, I’ve had problems sending too many messages too quickly. If you encounter this, you can put a sleep command in the msmtp-runqueue.sh script.

Sending and Receiving Automatically

Now that we’re able to receive and send mail from the command line, it would be good to automate the process. I put together a hacked up script that checks if we’re connected to the Internet, sends all of the mail sitting in the queue and pulls in new messages. nmcli interacts with the NetworkManager daemon to query the state of the internet connection. Possible answers are none, portal, limited and full. We only want to go through the trouble of trying to send messages when we have full connectivity.

`~/scripts/checkmail.sh`

#!/bin/sh

STATE=`nmcli networking connectivity`

if [ $STATE = 'full' ]
then
    /usr/local/bin/msmtp-runqueue.sh
    mbsync -qq accountname
    exit 0
fi
echo "No internet connection."
exit 0

Now that we have this together, it would be awfully nice if my computer would run this script periodically. There are two ways to do this now. One way is to use cron. This is the standard way to accomplish something like this.

I thought that I would take the opportunity to play with what seems to be the new init system for major Linux distributions – systemd. I haven’t really been following all the drama surrounding this project, but it’s the new init system for Arch, Debian and Fedora. I’ve noticed that computers with systemd tend to boot substantially faster than the initV based systems. I was inspired to do this based on a blog post that Joey Hess wrote to document building himself an alarm clock with systemd.

I wanted to check for new mail and send old mail every fifteen minutes. To do this requires that I create two files checkmail.service and checkmail.timer in the ~/.config/systemd/user directory.

`checkmail.service`

[Unit]
Description=check mail
RefuseManualStart=no
RefuseManualStop=yes

[Service]
Type=oneshot
ExecStart=/home/bostonenginerd/scripts/checkmail.sh

This file defines what the service does. Type=oneshot indicates that this is not a daemon and will just run and exit. Setting the RefuseManualStop=yes variable will make systemctl unable to stop the service. In this case, that’s fine because the script will teriminate when it’s done running. Now we need to setup the schedule for running the job.

`checkmail.timer`

[Unit]
Description=Check Mail every fifteen minutes
RefuseManualStart=no
RefuseManualStop=no

[Timer]
Persistent=false
OnBootSec= 5min
OnUnitActiveSec= 15min
Unit=checkmail.service

[Install]
WantedBy=default.target

In this file, we’re setting RefuseManualStop=no because this will be a long running service which we will can terminate at some point. In the [Timer] section, we set OnBootSec to five minutes. This means that the checkmail.service job will not run until five minutes after the computer boots up. I put this in to wait some time for a network connection to come up before trying to get the mail. The OnUnitActiveSec variable control the time delay in between repeats of the job. Here it’s set to 15 minutes, but could be set for any interval.

To start the timer, you should type systemctl --user start checkmail.timer. Using the command systemctl --user status checkmail.timer will allow you to see if the timer was successfully started. To start the timer automatically, issue the systemctl --user start checkmail.timer command.

Another neat command is systemctl --user list-timers. This will list all of the timers that you have active and how long until they’re triggered again. Neat stuff. Systemd is pretty clever.

Ideally we could simplify our script and add a systemd dependency to the service that requires that the internet be active before running the script. I’d love to hear any ideas on how to do that, or how to do this more efficiently.

End Part 1

I’ll finish up the Notmuch specific portions of my email setup at a later date.