- 2022
- Nov
- 2
The comments are locked.
I had left the comments open just in case, but spammers found it - as spammers do. Comments on this blog are now locked. If do you need to contact me for some reason, I suggest you head back to the homepage and investigate some of the other links. There is an address you can use. I will check this email address as time allows, do not expect a fast reply.
Use the LinkedIn link, or the Mastodon link if you’d like to contact me - I know that’s inconvenient for some, but with email and comment sections being nothing more than spammer playgrounds, it’s the best way.
The comment link at the bottom of each entry will no longer open the comment dialog if clicked. It will either open the entry on it’s own page, or will take you to the top of an open entry page.
- 2022
- Oct
- 17
Deleting bad files in Windows
Windows can be quite the turd at times. For example, while it enforces a 255 character limit on a file (both path and name,) it will still happily allow programs like Chrome to save filenames that can be overly long, or even full of invalid characters. You’re left with a file that you can’t delete - or even rename - because it’s invalid to Windows.
The easiest way around this, assuming you have admin access to the computer in question, is to install 7zip.
7zip is a cross-platform archiver that supports it’s own native format, supports archive/unarchive of a number of other formats, and can unarchive just about anything under the sun. (Sorry CP/M’ers, I think SQ is too old for even this program to handle!)
Download 7zip from it’s homepage, 7-zip.org
Once you install 7zip, open the file manager interface that comes with the program and navigate to your bad file. You can delete it right from the interface, as it ignores standard windows conventions and does what it’s instructed - which is what it should do!
I use 7zip for pretty much all archiving purposes, even letting it overwrite the native zipper in Windows. It’s just that useful.
- 2022
- Oct
- 11
StatusNet: Sending email instead of SMS with a new post?
What are you talking about?
If you’ve been around for a while, you’ll remember the birth of Twitter and the open-source clones that came out shortly after. While those clones are still useful, the Internet has become weaponized and services that worked because we had more trust now no longer work as intended.
This article is about StatusNet and it’s ability to send a SMS whenever someone posts a status to a timeline you follow. It uses the email gateway provided by most carriers to deliver a message to you - that is, it simply sends an email to “yourphonenumber@yourphonecompany.com.” In theory, anyway. These gateways now have a very suspicious eye when receiving messages containing links or other words that hurt the carrier’s feelings. They’re all but useless these days, and part of that is due to the ease at which spam can be delivered to your phone.
StatusNet in itself still does the same thing it did back when the last releases were made. We’re still using it for this reason, and because it’s visually more appealing than the lotsawhitespace Gnu Social that followed. It’s probably not something that you should expose to the outside world unless it’s on a low value server, however, as it is over 10 years old.
Yeah, so?
As mentioned, StatusNet can send an SMS any time your timeline is poked. However, this is just an email. Why not modify that so instead of sending an SMS instantly after a status is posted, it sends you an email instead?
That’s perfectly doable, and it’s all but transparent to the StatusNet instance.
This involves poking around in and editing your StatusNet database. In particular, we’re interested in the sms_carrier table. I’m using phpmyadmin because it’s easy to make these changes, but you’re free to use what tool you like. I assume you installed the instance yourself - if not, this may not make sense to you. I’m not going to talk about how and where databases and other files are in this post - if you’re not sure where those are then this isn’t going to be of any use to you.
Open your database by selecting whatever you called it, then navigate to the sms_carrier table. We’re going to make two changes for each of the entries we want to add to our instance. Pick the row you want to edit, and click “Edit.” You’ll be on the screen with all of the things you can change about this entry. (You can also do inline edit, but I like to bring up the full edit screen.)
There are two ways you can do this. Either put a complete email address in as an entry, or use the built-in variable and patterns to allow multiple users with the same domain to enter addresses.
If you want to simply add a complete email address:
The first thing we want to do is give it a useful name: In the “name” field, under the “Value” column (last one) delete what’s there and type something that is meaningful to you. Next, in “email_pattern,” delete what’s in the “Value” column and type your complete email address. Do not modify any other value or function. When you’re happy with the changes, hit “Go” to save it. The StatusNet code will happily ignore the “number” you gave it and send to the email address provided. If something was messed up, hit the “Reset” button.
If you’re running a multi-user instance, I don’t suggest doing this. Any person using the instance can select your email. They can’t verify it because they don’t have access to it, but they can still select it and try to attach it to their account. A better method is to use the patterns provided by the original programming.
If you want to use the patterns:
You still want to give it a useful name, and for this example we’ll use “gmail.” Delete what’s in the “name” field under the “Value” column and type “gmail.” In the “email_pattern” field, we need to make sure we give it the proper information. You’ll see something like “%s@phonecompany.com” - replace the “phonecompany.com” with “gmail.com” - you should have “%s@gmail.com.” This will allow StatusNet to fill in the “number” you give it later. Hit “Go” and save your changes, or “Reset” to clear and start over.
With both of these methods, make sure all of your changes are fully saved, and exit the tool you are using. Now we’ll go to the StatusNet instance in question and log in.
How do I get that email?
When you are logged in, click Connect at the top. You’ll get a screen showing your connected applications, of which you probably don’t have any. There will be two options to the side, SMS and Connections. Click SMS.
You have two options here, depending on how you set up your database changes:
You added a complete address.
pick the name you gave the address in the “Mobile Carrier” dropdown menu, type anything you want in the “SMS phone number” box (it doesn’t care because we deleted that variable) and hit “Add.” It will process for a bit, then you’ll end up at the screen asking for your confirmation code.
You added a domain only.
In this case, chose the domain you want in the “Mobile Carrier” dropdown menu and type the username portion of your address in the “SMS phone number” box. For example, if your address is “mygmailaddress@gmail.com,” pick “gmail” (assuming you called it that,) and type “mygmailaddress” in the phone number box. Hit add, and you’ll end up at the screen asking for your confirmation code.
If you did everything correctly, you’ll have an email waiting for you with a confirmation code in it. Paste that in the box, hit “Confirm,” and you’re done. Now you can go back to Connect > SMS and select the “Send me notices” checkbox under “SMS Preferences” to receive a notification every time someone posts to you or on your timeline.
If you don’t receive an email, check that your spam filter hasn’t trapped it due to the name or sender. It’s kind of unusual to get an email for an SMS confirmation, so mail systems may say “No.”
Both of these steps assume you have an email sender set up on your machine, it’s configured properly, the relay or service you’re using is configured properly, and your receiving email isn’t overly aggressive about looking for spam. If not, this isn’t going to work (obviously!)
It works?
So now, whenever someone posts a message that is on a timeline you’re following, you should get an email notification.
It works! There’s still a chance that your email provider can trap the message as spam, especially if there are links that look spammy. Whitelist the email these are being sent from, and you shouldn’t have any problems.
StatusNet itself is getting pretty old, and there aren’t many instances left out there. If you’re like me, and have a couple of internal systems under your control, this can restore some of the functionality lost over the past 10 years.
This is part 1 of a 2 part series about bringing StatusNet a little bit into the modern era. The next and final article will be about removing some of the identifying information to provide a little less of an attack surface should someone happen to run across your instance.
Now tell the little blue bird to get lost. We have some statuses to post!
- 2022
- Oct
- 9
The SwitchBOARd, a general purpose I/O device using the ESP-03.
When I was spinning up a number of ESP-01 devices, and before I found out how much RF noise they put out, I started exploring some of the other devices that were available in the ESP family. Specifically, the ESP-02 (A SMT version of the ESP-01, hard to get) and the ESP-03.
This board was designed to be a general purpose I/O board where you could read or write three individual bits and monitor those bits for control or notification purposes. Specifically, this was designed as a door open/closed device for garages. The ESP-03 was chosen because it was small, had a built-in ceramic antenna, and had the required number of I/O pins. It also looks kind of cool.
The board featured an onboard programming port and switch, a regulated power supply with a temperature monitor for the regulator, and indicators for all of the I/O. If desired, a passthru for the power supply could be placed, as to provide power for another board of this series without needing a regulator and extra supply.
Ultimately, I never could get the ESP-03 to take a program properly, and had just started to investigate why when I found out how bad these devices were at 320MHz. This board is one of two prototypes I built, the other having been sacrificed to the prototype gods during troubleshooting. Some other WiFi devices have shown up on the market, so this board may live again someday.
The boar outline found it’s way on to other projects, including this blog - and this is where the main page gets it’s name: Red Boar Design.
- 2022
- Oct
- 5
Re-opened my github account.
Some time ago, I had a github account with a few projects on it. That was closed due to various reasons, but I’ve decided to open it again and replace some of the material that was there originally.
The repository is here, if you’d like to check it out.
- 2022
- Oct
- 4
The Fort Wayne (Indiana) Hamfest
The last one in the area that I usually attend, the Ft. Wayne show is indoors and doesn’t get rained out. It’s usually a good portion of the day show, and I’ve never regretted the drive.
http://www.acarts.com/hfmain.htm
The 50th Annual Fort Wayne Hamfest
November 19th and 20th, 2022
9A-4P Saturday, 9A-2P Sunday
Admission $8, Parking $8
Allen County War Memorial Coliseum
4000 Parnell Ave
Fort Wayne, IN 46805.
This one can’t get rained out! See you there.
- 2022
- Sep
- 25
Didn’t make it to the Findlay radio show…
The day wasn’t looking promising. While it didn’t rain up there, the overall mood of the show was somewhat depressed as the threat of weather kept people away. I was told by a person that did attend that the show was still decent. So perhaps next year.
I did manage to make it to an antique engine show the day before, and will post those pictures soon. The next, and probably last radio show that I’ll try and attend this year is in Fort Wayne. Stay tuned for that information!
- 2022
- Sep
- 22
Allow access to a webpage only if inside the LAN?
Recently, I found that I’d like to set up some kind of internal dashboard for systems running inside the LAN. I wanted it to have easy access, and not require you to remember a new address or have to use a special port - it should just automatically resolve with the main website address while inside the LAN and deny you access outside the LAN. Sounds easy, and it is - sort of.
I’m using the Apache webserver, and it has the ability to deny service to you based on the calling IP address. It’s as simple as telling the server what directory you’d like to use, and requiring an IP. I came up with this:
<Virtualhost *:443> (the external website materials) Alias /inside "/var/www/inside" <Directory /var/www/inside ErrorDocument 403 /var/www/errordocs/denied.html Require ip 192.168.1 </Directory> ... </Virtualhost>
Note that you only need to provide the portion of the IP address that you wish to match exactly. In my case, providing 192.168.1 indicates that I’d like to match the entire /24 subnet. (192.168.1.1 - 192.168.1.254)
That worked - sort of. I was able to hit the website from inside the LAN with no issue. Outside the LAN, it denied me access but threw this error:
Forbidden
You don’t have permission to access this resource.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
That’s not what I wanted.The error document was (in the interests of obfusticating the issue) the same as the 404 page (with a slight modification that hopefully wouldn’t be noticed unless you looked for it) to hide the issue from outside parties that may be hitting the website looking for entry points. I know that’s bad practice, but this is a limited access site whose users know what to look for. The error message I received tells the world what the problem is, and even though I turn identification of the server off, probably tells you what I’m running. That won’t work.
The problem here is the Require ip 192.168.1 acts like a “Deny All” when the condition is not met - it even denies the error document regardless of it’s location. I wasn’t really sure how to get over this issue, but doing research revealed that .htaccess files are parsed as soon as the directory is hit, regardless of what else is set in the main configuration file. This isn’t necessarily bad practice, but it’s not best practices. You should strive to keep everything in the main config.
So what is an .htaccess file? Simply put, it’s requirements for the local directory. If you have a directory on your webserver that has a particular access requirement that the rest of the server doesn’t need, you put it here. My case, I was simply going to use it for error documents.
What’s the first thing you do? Find a guide. Someone already answered this question: https://stackoverflo … -use-an-errordocumen. So, following this guide, I did this:
Create .htaccess files in both my webserver root directory and the errordocs directory. In the root directory file goes the error handlers for the webserver:
ErrorDocument 404 /errordocs/nopage.html ErrorDocument 403 /errordocs/denied.html
Nothing else. In the errordocs file goes a simple directive:
allow from all
This does exactly what it says, and allows from all without restriction. This can be dangerous, so don’t put anything in this directory that you don’t want the world to see!
Some permissions need to be set now:
/var/www/errordocs => 755 /var/www/errordocs/.htaccess => 640 /var/www/errordocs/nopage.html => 644 /var/www/errordocs/denied.html => 644
These permissions are pretty loose, so again: be careful. Put only the things necessary for the error handlers into these directories and files. One last step is to tell the server that you want to use these .htaccess files, otherwise it ignores them. This is part of the rewrite module https://httpd.apache … mod/mod_rewrite.html built in to Apache, so enable that and restart the server.
sudo a2enmod rewrite sudo systemctl restart apache2
With the server restarted, you should be able to hit your webpage in /var/www/inside with a local IP address, and get an error message when you’re outside the LAN. Alternately, you could redirect, but that’s an entirely different game since you’ve already denied access.
I suspect this is probably obvious to those reading this, but I’ll point it out anyway. This only works if you’re serving pages from inside your own personal LAN. It’s not going to work if you’re using a remote hosting service or if the server is somewhere that can’t see your local IP. Of course, you can always set a particular address as a requirement, but in this case it’s best to make sure you’re not going to get locked out of your own services by a dynamic address change…
- 2022
- Aug
- 31
Blonder-Tongue Audio Baton (BT B-9) Schematics
A few months ago, I posted about some Blonder-Tongue Audio Baton (Blonder-Tongue B-9) units that I’d rebuilt some years ago. Those units, unfortunately, are long gone but I knew I still had the Sams Photofacts schematic laying around somewhere, and I thought that if I could find it, I’d scan and post it for anyone else who has an interest in these devices.
I was able to locate that documentation, and you can download a copy of it as a zip file or a 7z file. The 7z is a little smaller than the zip file, the zip being about 58MB. The schematics are 600DPI .bmp files for maximum clarity.
I’m pretty sure I had a scan of the original manual as well, if I can locate that I’ll post it as well.
If you happen to know where the units in the pictures are, I’d love to know.
- 2022
- Aug
- 27
email misadventures - security is important!
What happened?
About a year ago, I swapped my domains over to a new registrar. The old one had become stale and was gaining a weird reputation, and they had cut their extremely attractive email plans down to crap Outlook plans. The final straw was when the free-with-reg email they provided was stopped. They charged for things like domain privacy, and it was just becoming more expensive than it was worth.
The new registrar had a better email plan using a non-Outlook service, offered free domain privacy and relatively inexpensive website SSL, so the choice was clear. However, the email plans didn’t auto-config as well as they claimed.
I knew there was something screwy with my email. Gmail, the great Satan of services (but if Google likes you, everyone does) would sometimes tell me that it couldn’t verify my email was sent by pygg.xyz. That TLD is somewhat suspect due to it’s use by spammers, but that wouldn’t cause a warning to happen, it would just bounce as spam. Something else was wrong. It finally came to a head when I tried to send a mail to a particularly tight system and it bounced as blocked.
I learned three new things: SPF, DMARC, and DKIM.
In the examples below, some personally identifying or secure information has been blurred, so do not use these as your own records.
SPF
SPF is a term that stands for “Sender Policy Framework.” It looks something like this:
This record is not one of the main named types used in Internet routing, so it simply gets a type of “TXT,” or as you probably guessed, text. The 1200 is the TTL (Time to live) which I simply left at the default.
What this record means, is that for my mail service of privateemail.com, mail coming from my domain of pygg.xyz is allowed to send mail. It’s simple “match this” mechanism, and it generally works as it’s a yes/no thing. Other mail is quarantined for inspection, which is what the ‘~all’ means. It’s called a softfail. The other option here is “-all” which means that any non-matching sender is rejected. This is called a hardfail. This can be dangerous if you’re not set up correctly, so I’ve left it as soft.
The vendor’s SPF record was orginally set up with a number of IPV4 addresses hard-coded in, which can be dangerous if the vendor’s address changes (such as adding new servers.) I found it better to match the mailserver’s name as opposed to it’s address. In this case, even if an address changes, you still match the name. I’m not sure, but it seems that the vendor may have had more mailservers than the record allowed. This fixed the SPF errors recorded by various testing services online.
DMARC
DMARC is a term that stands for “Domain-based Message Authentication, Reporting, and Conformance.” It looks like this:
This record is also not one of the named types, so it also gets a record type of TXT.
What this record means is simple. If someone tries to send email as you (i.e. spoofing,) the mailserver will take this action and send any suspicious mails to the addresses specifies. It works in conjunction with SPF and DKIM records. This record didn’t exist on my domain, so receiving servers looked at my email with a suspicious eye since they had no idea what my mail service did with spoofed. This record is one purely of self-policing trust. If I can’t take care of my affairs, it makes you less likely to deal with me. It was probably the most heavily weighted reason as to why I was being bounced.
To create this record, instead of wandering through what all of the options mean, I used a helper service. In particular, a site called dmarcian, located here: https://dmarcian.com … dmarc-record-wizard/. This leads you through all the things you need to fill out and automagically creates the record. It’s up to you to create the host and type, but you can follow mine or many other examples online.
One thing of note: You can either QUARANTINE or REJECT mail that doesn’t match your sending policy. There’s also another thing you can do, NONE - this means don’t do anything, just collect data. This is usually seen by receiving systems as a failure and is not suggested - it’s essentially the same as having no record at all.
DKIM
DKIM is the last thing that was messed up on my mail server, and part of it was my fault, part of it was the vendor’s fault. My fault was that, unless you’ve done this before, you have to trust that the vendor is giving you the correct information. As I had not done this before, I simply grabbed what was presented to me and pasted it in. That was wrong. The vendor didn’t clearly say that only a portion of what they presented was needed, and didn’t really mention that you had to append extra fields to use the long strings they generated.
DKIM is a term that stands for “DomainKeys Identified Mail”. It’s a public-private key pair that’s used to “sign” your emails and encode them, and if the receiving server can decode the mail with your public key, it’s assumed that you sent it since only you should have your key. It looks like this:
This record is an object that tells the receiving server what it is, what method to use during decoding, and what the actual key is. It’s (again) a TXT record, but this one has a single characteristic that is quite important. If you look at the first field, you’ll see “default._” - this is the object’s actual name, and MUST be used. In my case, the vendor used “default” as the object name when generating the key, although yours may be different. “s1”, “server1”, “bob” - whatever your vendor’s key generator uses MUST be used here as well. I didn’t understand that and used a name I found others mentioning, that of “s1”. This had the effect of the receiving server failing to find my key, as it was looking for “s1” and the server was using “default”. Changing the object’s name to “default” immediately fixed that and the remote server found the key and decrypted it.
My vendor also presented the key wrapped in a description that they created. That’s what really threw me off - when I pasted that in, remote sites still complained about a bad key, so I needed to determine the actual requirements of the key itself. The only parts of the key you need start at “v=DKIM” (the type of key) and end at the end of the actual key itself (the long string of characters.) Some sites suggested ending the record with a semicolon, so I did. I’m not sure if that’s needed, but it didn’t complain.
DKIM is a two-part thing on your end. You must have DKIM, and it must be valid. A receiver gives you a rating based on both. You can have a key, but if it’s invalid, that may still make your mail pass. Having both a key and a good key is imperative.
After that, I used some email test services that I found online. You send an email, and it analyzes the mail for proper construction. There are a number of those online. The only thing I can say about them is they are usually used for people who are sending newsletters, so they often analyze the content of the message and look for unsubscribe links. You can safely ignore those suggestions if you’re just setting up a personal email.
So what did I learn?
Modern email systems have a lot of security features that must be in place for other email systems to trust you. SPF, DMARC, and DKIM are all required, and even that may not save you.
For example, I’ve found out that my domain, which uses a TLD of .xyz, loses trust points simply for being an .xyz domain. Apparently, that’s used a lot for spammers, but there’s not much I can do about that. I can set my security up, and if you still don’t want to trust me then that’s your business, not mine.
What should you walk away with here?
This wasn’t meant to be a tutorial on how to set this stuff up, every email vendor has different ways of doing it and using my vendor’s system as an example is going to be useless for you. I mostly wanted to tell you about what you should look for when manually setting up your email system. It’s going to be up to you to learn how to implement those practices on your service.
Did the “tight” system accept your email afterwards?
No. It blocks .xyz wholesale, as best I can tell.
Gmail, on the other hand, now loves it and happily accepts it without error.