Category Archives: Uncategorized

A&A update

DSL Gear

The day finally arrived. The broadband switch went through around 7AM, so I spent five minutes reconfiguring the router once I got up, and it’s all working perfectly.

The port of my landline number to VoIP was a little less smooth – it spent most of Friday “in limbo” with calls neither ringing the handsets at home nor landing on VoIP – but by 6pm all was well.

So far the whole service Just Works including the IPv6. Result!

There’s one more post to follow on what I’m doing to keep my old landline handsets working.

Innotech Get It Right™

During last week’s heating issues, I needed to send someone a link to download the Windows software for our heating controller. I grabbed the link I made a note of nine years ago and tested it quickly before sending:

[[email protected]:~]$ wget                                 (02/02 19:25)
--2020-02-02 19:25:41--
Resolving (… 2606:4700:3037::6812:28dc, 2606:4700:3031::6812:29dc,, …
Connecting to (|2606:4700:3037::6812:28dc|:443… connected.
HTTP request sent, awaiting response… 200 OK

Two things about this please me greatly:

  • Cool URIs don’t change. I had no doubt that the software would still be available; it’s used for a range of devices some of which are still for sale. But that the same link from 2011 still works is impressive.
  • The download happened over IPv6! Naturally, this isn’t because a random HVAC supplier has rolled it out explicitly for their website; they’re using CloudFlare. And why not? Takes care of the SSL, caches those downloads closer to global customers and thus saves bandwidth, keeps you up to date without you having to lift a finger. CloudFlare’s control panel doesn’t let you turn IPv6 off if you’re on their basic package – it rightly explains that there is no good reason to do so.

That htpasswd file of yours has got to go

If you’re my sort of nerd (which I suspect many of my readers are), this story or something like it will probably have happened to you.

Flashback: the summer of 2009. I’m setting up a private website, access for which needs to be restricted to a handful of friends. So I do the obvious thing:

htpasswd -c /srv/auth/my-site.htpasswd david

The htpasswd tool allows you to maintain a simple file of usernames and password hashes, then you just hook it up to your Apache (other web servers are available) with a few lines of config, like this:

<Location /private/>
    AuthType Basic
    AuthName "Top secret"
    AuthUserFile /srv/auth/my-site.htpasswd
    Require valid-user

And now, when you visit the location, your browser pops up the usual dialog box:

The ’90s called, they want this dialog box back

Maybe, like me, you rounded it off by providing a simple scripted interface for users to reset their passwords if they forgot them.

And there the matter rested, in my case for over a decade. However, logging in to the aforementioned site yesterday, I realised there are several things wrong with all this (seen with the benefit of, ahem, 2020 hindsight):

  • Most password managers can’t fill in the dialog box most browsers use for HTTP basic authentication, so you have to copy/paste (or worse, use a well known password and never change it)
  • Why does a dinky little private site I run which we all use twice a year need its own password database? Yet another thing to remember, or risk people re-using a password on. Is it using an up to date, properly salted password hashing mechanism? I don’t even know.
  • This doesn’t allow for two factor authentication, which I view as practically mandatory for internet-facing systems these days.

Like me, you’ve probably had a vague intention to retire your various examples of this setup for years, but have been put off from doing so because it’s not clear what else can be done without adding a huge pile of complexity. Perhaps I can help you with that…

By using the mod_auth_openidc Apache module, you can swap basic auth for “sign in with Google” in about ten minutes.

Their site explains how. Don’t be put off by the references to the now-defunct Google+; the underlying APIs still exist and work. I did have to work out a couple of extra tweaks:

    OIDCRemoteUserClaim email
OIDCScope "openid email"

It’s not the nicest Apache module I’ve ever worked with, as it will segfault the process if you get its configuration wrong (e.g. leaving out the above). It also needs extra config if you’re running behind a proxy and the user-facing port number is different to the back end. But still, it’s packaged for Debian and once you have it working, it stays that way.

Finally, if you don’t have a Google Apps domain with all your users in it, and instead just want to restrict people to signing in with a whitelist of allowed Google/GMail accounts, you simply do this:

Require user [email protected] [email protected]

Result. Naturally, as well as meaning one fewer account for your users to worry about (realistically, they all had Google accounts already), this means that password reset, second factors, etc. etc. are all now Google’s problem, not yours.

Go get rid of your basic auth; the rest of the internet thanks you in advance.

Train strain

The good news is, this post is not just me ranting into the void … I have written to my MP about some of the ideas at the end.

I’ve been missing my 26-30 Railcard badly. Combined with booking as far in advance as possible (12 weeks) and split ticketing, it was possible to get the cost of travelling first class between Oxford and Cheshire down to a just-about-bearable level. But with that nice fat discount no longer available to me because of advancing age, I’ve been back to standard. And I hate it. Take last Sunday’s journey, for instance:

  • I had to print off my (many many split) tickets from the machine in Oxford; there still seems to be no paperless ticketing on this route.
  • As usual, the train was a mere four carriages (three normal and one first). This really feels like taking the p**s on a Friday night, but even a train before 10AM on a Sunday was pretty busy – the food trolley just about made it through, but one more standard carriage would have made a big difference.
  • The rolling stock is getting a bit tatty, and the amount of space allowed in the standard seats wasn’t very generous to begin with. You can just about use a laptop at a funny angle, but it gets tricky if you want to fit your overpriced cup of tea on the little fold-down table as well…
  • There was a rail replacement bus for the last two stops, adding the best part of an hour to the process. (Thought experiment: would I have been refunded the extra for that leg if I’d paid for first class?)
  • The bus had better legroom, comfier seats and much less of a crowd than the train!

And as usual, we’ve had an annual price rise without the service getting any better. The XC Trains Limited accounts for 2019 aren’t available yet, obviously, but the dividend the shareholders enjoyed in 2018 looks suitably chunky.

Positive suggestions for going forward, then…

  • The government should legislate to put an end to the split ticketing nonsense. Force advance fares from A to Z to be capped at the same price that can currently be achieved by booking in smaller legs. This will be fairer to consumers and put a stop to the environmental impact and delays caused by people like me having to print six or more bits of cardboard for a single journey.
  • Print-your-own or barcode-on-smartphone tickets should be an option on all routes. If the companies won’t buy the equipment, make them pay the postage to send out the paper tickets in advance
  • More carriages, more carriages, more carriages.
  • Consider reducing the number of seats and increasing the leg room and table space.
  • Rail replacement busses which take longer than the train they replace should count as a delay and thus come with the associated compensation to passengers.

Some of this is not easily done overnight, but the first two are easy and way overdue.

Trouble in the basement

Heating controls

Last Saturday at St Columba’s was a fun one. As any fule kno, the last Saturday in January is the traditional occasion to have a Burns Night Supper, where haggis is enjoyed and the life of Robert Burns celebrated. I was expecting to slice up the world’s supply of swede, and do my master-of-ceremonies bit.

What I wasn’t expecting was to discover a heating fault. As I’ve covered previously, I’m one of the people who knows how this system works, having been on the committee which oversaw it being procured and installed in 2011 (and re-programmed the logic so it actually worked as we wanted it to).

I should admit before going further that I didn’t manage to work it all out on my own – I had some help from another amateur who knows more electronics than me, and we’ve since had the professionals in.

There were a number of things wrong, the first of them being that the mechanical on/off button on the boiler broke so it was stuck in the off position! Yay for duct tape…I felt a bit better about having been stupid enough to turn it off when British Gas’s engineer admitted it was a common fault on this particular boiler. The boiler also defaults to a target water temperature of 20 degrees when reset which is … displeasing.

The second, annoyingly, was a failed pump. It doesn’t matter how well your boiler is working, if you have no pump to push the hot water round the heating circuit, you’re out of luck.

Fortunately, when we put all this in, we took the recommended option of dual redundant pumps! The controller switches between them once a week to ensure they wear out evenly, and after nine years of hard service, one of them broke. The good news, as you can just about see in the picture above, is that there’s a hardware switch to force it to stick with one pump or the other. So now we’re just waiting for a repair/replacement on the failed one, but all is working in the meantime. This sort of thing is exactly why you want a “hot spare” in critical systems.

Hozah / Oxford Park and Ride

Actually, it was three and a half years ago, and a different car park. However, the fact that there is finally a fully automated ANPR option for paying for the Redbridge Park and Ride in Oxford can only be a good thing.

So, does it work? Yes. It’s frustrating that there is no indication on the signage of whether you’ll pay the “convenience fee” or not – in this particular car park, you do. However, for the sake of not having to queue up for the machines and thus being able to arrive a couple of minutes later, plus being able to pay with Amex (points/cashback to be had!), I reckon it’s worth it.

Now we just need every other car park in the world to support this, and life will be sweet.

Netgear JGS524PE

If you attempt to do anything described in this post, it is at your own risk. Please don’t electrocute yourself, and be aware you’ll be voiding your warranty.

Noisy new piece of networking kit

This, as many readers will know, is a switch. You stuff cables into it and it connects together the devices on the other end of them (laptops, PCs, printers, WiFi access points, cameras, …) to form a network.

This particular one is destined to take over at St Columba’s, where it’s replacing an older model which I salvaged from a skip in 2012 – so it doesn’t owe us much. The nice thing about this new one is that it supports Power over Ethernet (PoE). This is exactly what it sounds like – the switch sends power down the network cable to the device at the other end, which is handy in our case, because the WiFi access points are both high up on walls/ceilings and nowhere near power sockets.

At the moment, we use PoE injectors, which means that in the cabinet with the existing switch there are extra power bricks, cables, etc – messy, and very demanding on the number of wall sockets. All that should get cleaned up now, but there was a problem…

I fired the new switch up on my desk at home to configure it, and was immediately disappointed by the amount of noise it made.

OK, so much rack-mount IT kit is a lot worse. But since this thing is supplied with rubber feet for desktop use as well as the rack-mount kit, I was rather hoping it would be quieter.

In a perfect world, this wouldn’t matter: all the cabling in the church would terminate in the basement or another room nobody ever goes in, so a few fans wouldn’t be an issue. Meanwhile back in the real world, it’s all under the desk in our minister’s vestry. So even this level of fan noise would present a problem for some users of the room.

I’m not the only person to take issue with this; Google found various suggestions including a YouTube video by a fellow Brit who wired some extra resistors in to reduce the speed of the fan, and hence the noise, in a similar model. I might try that, but for now I’ve indulged in the dubious fix of disconnecting the fan. The switch is rated for operation in temperatures of up to 50 degrees – not usually seen in Britain – and since fewer than half the ports, and less than half of the PoE budget will be in use, I’m going to chance it.

This upgrade also paves the way for some other PoE devices, specifically door lock controllers. I’ll write about those as and when the project goes ahead…

Andrews & Arnold

Waiting for the order to complete…

I’ve written here before about ISPs. For the past couple of years, my internet at home has been from BT, and, well, it Just Works. Getting rid of BT’s less than perfect hardware was the final step to making it all shiny, and apart from having to reboot the modem once every couple of months, it all seems to behave. In those two years, BT, like the rest of the market, have given up on pricing 40/10 FTTC differently from 80/20, so my connection now runs at 80/20 for no extra cost. Monzo tells me I’ve averaged just under £30 per month to BT for the duration, which is pretty good going.

However, with vague plans to move this year, I didn’t want to start another 12 or 18 month deal. So what to do? Well, I’ve decided to stump up the premium and start a 6 month deal with Andrews and Arnold. The main two reasons for paying the extra are:

  • For a one-off £42, plus £1.20/month, they can port my landline number off onto VoIP without breaking the phone line/broadband it’s attached to. As far as I can tell, nobody else on the market has this, and I decided it was worth the cost to be able to keep the landline number a handful of older relatives still insist on calling, but redirect all the calls to my mobile at my cost. I’m looking forward to when my aunt calls and I’m at the pub – “Sounds like you’ve got a lot of people in your flat, David”. “Er, yes”.
  • Mental health. Only a theory at this point, but I’m hoping the generous but not infinite 300GB/month download limit imposed by A&A will put a stop to some of my more extreme Netflix binges and force me to go outside more.

The switch isn’t due for another month (timed to coincide with the end date of my BT deal), so I’ll report back on how it all goes.

Update, 15 January – so far, both BT and A&A have behaved perfectly, sending e-mails/texts about the changes. It looks like the broadband will move on the installation date I picked, and the phone line three days later (which makes sense, because A&A only do phone lines to support their broadband).

Receipts: still waiting for a shiny new future

Let’s begin the first blog post of the new decade with a rant. I do try and be constructive towards the end, though, so bear with me.

I have the dubious honour of being responsible for spending a fair bit of “other people’s money”. Like many people, I file expenses at work – most months are fairly quiet, but sometimes I travel to London or abroad for conferences and client visits. And as regular readers will know, I’m also treasurer for various charities (well, just the one at the moment).

Naturally, in both cases, there has to be a receipt for every penny spent. In the business case, the auditors want to see ’em at year end, and you might also need to show them to HMRC if you want to offset your output VAT against your input VAT. (Oh, and the boss obviously needs them to sign off your expenses, though once you’ve reached the stage of being trusted with a corporate credit card, this is usually a rubber-stamping exercise).

Meanwhile on the charity side, the audit (or independent examination in simpler cases) will also need access to the supporting evidence for all outgoing payments.

In a perfect world, one would acquire receipts and file them away neatly as the transactions rack up. Thus, at the month/quarter/year end when the reckoning comes, you have them all to hand. Sadly this was rather easier in the good old days when 99% of the receipts were physical pieces of paper – you just fished them out of your wallet and stapled them together.

Now, though, e-mailed/electronic receipts are increasingly the norm, and most organisations large and small have moved to scanning even the paper ones and disposing of the originals. This ought to be progress, but it can turn pulling all those receipts together into a painful and long-drawn-out process.

There are two things we need to make this less painful:

  1. Companies should send invoices/receipts by e-mail. Don’t send me an e-mail telling me I have a receipt, and forcing me to go download it from your portal (or even worse, tell me nothing and leave me to go and check). E-mailing me the object itself means that I can set up automatic rules to forward your e-mail to [email protected], or save them into the Dropbox folder where we keep these things. As it is, in far too many cases I end up having to wade through and download things at month end, which is time consuming and tedious.
  2. We desperately need some sort of standard for passing receipt information back via a card transation. In my ideal world, every transaction on the company card would beam all receipt information (vendor, items, VAT etc.) directly onto the entry in the expenses system, meaning all I have to do is a quick manual check before clicking submit. This is clearly within the relams of possibility, and I hope Visa, MasterCard and Amex are thinking very hard about how to make it happen.

Obviously, upgrading every point of sale system in the world ever to submit this sort of data is not a trivial task, but how about starting with payments processed by websites and other online services? No physical POS equipment to worry about, add an API call, sorted. Heck, start by sending just a PDF, forget about making it structured. Have a way for the card to tell compatible tills the e-mail address where it wants the receipt sending.

Here’s hoping we see some movement on this in 2020, and this is one of the last times I spend a very dull hour dredging up the past year of receipts for the walking club from old e-mails etc.

First week with the Samsung Galaxy Watch

Uh-oh, a shopping accident

As regular readers might recall, I bought my first smart watch just over three years back. All other things being equal, I was hoping to get another three years out of it at least, but sadly, it has a flaw. The charging dock has three little retractable pins sticking out of it, and these must engage with contacts on the back of the watch. It has now reached the stage where even with lots of licking to make a better contact, and fiddling with the dock, it doesn’t charge properly one night in three. And that’s just not good enough for something I rely on to get me to my meetings on time at work.

So, an excuse to see what’s been improved in this area since 2016. A spot of browsing suggested that Samsung’s Galaxy Watch is the one to go for if, like me:

  • You don’t care about fitness tracking features (if you do, buy a FitBit)
  • You don’t own an iPhone, or indeed anything made by Apple (if you do, buy their Watch)

A downside that I could spot even before looking at one is that it’s Yet Another Fragmented Ecosystem (it’s not Android, it’s Samsung’s own thing, with Samsung’s Own Payment Thing which is less widely supported than Google Pay…).

Still, I had a play with one and I was impressed. You can rotate the bezel to flip between screens and scroll, which makes it much more usable (for example) when wearing gloves. It’s an idea I never knew I wanted until I tried it.

There are two variants, 42mm and 46mm. 42mm is the same as my old Huawei Watch; the bigger one felt like having a saucer strapped to my arm so I gave it a miss.

You’ll have gathered by this point that the sight of the thing was too much for me, and I ended up buying it. (Incidentally, I found it cheaper on the high street than online!)

So far, I’m well chuffed. The alleged four day battery life is obviously with the screen in auto-off mode; as far as I’m concerned, a watch which I have to wake up before it tells me the time is a deal-breaker, so I have it in always-on mode and it lasts around 36 hours of heavy usage (or so I extrapolate).

Unlike its predecessor, the charging dock is completely wireless, so it shouldn’t fail mechanically in a few years. It does lose a point for having an LED on it, which I don’t like on any device I keep next to my bed.

Samsung Pay works quite well, and is sometimes more convenient than getting out a card/my phone. It works especially well on the London Underground, but only because I’m left handed and thus wear my watch on my right arm.

I also managed to find a watch face app which shows a nice compact view of upcoming calendar events (this was a bit of an unending quest for the old one – several came close, but misbehaved over time). And finally, it has not only a microphone but a speaker, meaning you can actually make and take phone calls on it, and wander around shouting at your wrist like you’re in Star Trek. The quality isn’t great, but it’s passable!

This one, though, is going to have to last nine years to get my average back up…