Now that half the world knows, I might as well tell you that I used balenaEtcher to flash an image onto a USB memory key.

balenaEtcher

I launched the app on a Mac on which I still have Little Snitch installed, a program which alerts me of outgoing connections attempted by programs on my Mac. I can then, on a per/program and per/connection basis, decide whether I wish to allow that connection and, if so, for just once or forever.

This is the list of connections initiated I was requested to approve from the already installed app:

etcher.io on TCP port 80 (http)
balena.io on TCP port 80 (http)
s3-1-w.amazonaws.com on TCP port 443 (https)
fullstory.com on TCP port 443 (https)
d1l6p2sc9645hc.cloudfront.net on TCP port 443 (https)
a.impactradius-go.com on TCP port 443 (https)
www.google.com on TCP port 443 (http
accounts-cctld.l.google.com on TCP port 443 (https)
cse.google.com on TCP port 443 (https)
rs.fullstory.com on TCP port 443 (https)
api.mixpanel.com on TCP port 443 (https)
sentry.io on TCP port 443 (https)
stats.l.doubleclick.net on TCP port 443 (https)
data2.gosquared.com on TCP port 443 (https)
data.gosquared.com on TCP port 443 (https)
assets.balena.io on TCP port 443 (https)
code.jquery.com on TCP port 443 (https)

That was the list of connections I was requested to approve. To copy an image onto a USB memeory key. I don’t even.

privacy :: 23 Feb 2019 :: e-mail

I was asked to moderate a discussion about all aspects of DNS privacy at FOSDEM, and I gladly went for that. I’d not been at FOSDEM yet, but I had read about its size, and it really is huge.

Seconds after arriving at FOSDEM’s ‘K’ building on the Sunday morning, Fabian intercepted me and treated me to a much-needed cup of coffee after the four-hour drive. My primary target at the conference was the DNS Devroom to which I got at around 10:30, only to find the dreaded “FULL” sign posted on the door, but I had a “VIP” ticket, and Peter let me in.

Moderating the DNS Privacy panel was huge fun. I got to see Stéphane and Bert (and Peter and Pieter and others) again, and I had the honour of meeting Daniel Stenberg. The (slightly truncated) video of the half-hour panel clearly shows what we talked about, and if you watch it I think you’ll recognize that I really did enjoy moderating it.

I didn’t get to see very many talks at FOSDEM, but I did chat to lots of people: Nicole and Lars, Howard and Michael, Fabian, whom I’ve already mentioned, Toshaan, Pieter, Pieter, and Peter, and several others. I spent lunch and the better part of the afternoon with Christoph and later drove him to the station, and from there I drove the short hop to Ghent.

Config Management Camp was a first for me as well, and I went because I’ve been postponing it for years, and I promised to go this year. Toshaan and Kris do a marvelous job in organizing it.

Cfgmgmtcamp (that’s how it’s spelled – I think vowels are expensive in Belgium) is a tenth of FOSDEM’s size, and much easier for me to handle. The conference is also free of charge, and the organizers serve lovely complimentary pains au chocolat and croissants for breakfast (coffee was very american and took ages to brew). The talks I saw were good, and the speakers well versed.

I spent one day only at FOSDEM, and that’s ok; I don’t imagine I would go again unless I were already in the vicinity; it’s just too large and too full for me. Selecting what talk to see at which time is a full-time job, and the probability of the room being ‘FULL’ is very high. (Somebody told me she came an hour early to the DNS devroom so as to have a chance of getting in.)

I will try to go back to Config Management Camp though: it’s a good size but if it gets any larger it too will be hard to handle. For me.

conferences :: 09 Feb 2019 :: e-mail

The Traccar server component has rather good support for notifying a user of a particular event. For example when a device enters or leaves a geofence or, if the device has support for it, notifying that ignition has been switched. These events can be configured to be issued to Web (meaning the Traccar Web interface where they slide in from below), Mail, or SMS (which in the case of Traccar means a configured SMPP server).

mail

What does a guy do who wants to manipulate notifications and do other things with them? Basically there are two choices:

  • Use an SMPP server which obtains the payload and does something clever with it
  • Configure position and/or event forwarding in Traccar

The former works, and we’ve had that working for the better part of a year, but the latter is a more solid approach.

Traccar can be instructed to submit an HTTP POST whenever it receives a position report from a device and whenever it would otherwise notify one of the built-in methods (mail, Web, SMS). So what I’m going to is to tell Traccar to give me all this data.

traccar to http to mqtt

Whenever Traccar notifies of an event or receives a position, it bundles up some data as JSON and POSTs this to our configured endpoint. An example for an enter event (called geofenceEnter in Traccar-speak) is (slightly shortened):

{
	"geofence": {
		"id": 7,
		"name": "blub9",
		"description": "",
		"area": "CIRCLE (49.133867934876974 8.166520803303387, 33112.6)"
	},
	"position": {
		"id": 18336,
		"attributes": {
			"t": "i",
			"ignition": true,
			"distance": 449672.22
		},
		"deviceId": 7,
		"protocol": "owntracks",
		"deviceTime": "2018-09-14T15:34:17.000+0000",
		"fixTime": "2018-09-14T15:34:17.000+0000",
		"latitude": 49.0156556,
		"longitude": 8.3975169,
		"network": null
	},
	"event": {
		"id": 1216,
		"deviceId": 7,
		"type": "geofenceEnter",
		"serverTime": "2018-09-14T15:34:17.906+0000",
		"positionId": 18336
	},
	"device": {
		"id": 7,
		"attributes": {
			"aaa": "AAAA",
			"mm": "1"
		},
		"name": "Vehicle-54",
		"uniqueId": "q54",
		"status": "online",
		"lastUpdate": "2018-09-14T15:34:17.881+0000",
		"positionId": 18335,
		"geofenceIds": [
			7
		],
		"category": "boat"
	},
	"users": [
		{
			"id": 1,
			"name": "jjolie",
			"login": "",
			"phone": "+49123456",
			"readonly": false,
			"twelveHourFormat": false
		}
	]
}

We then create an HTTP endpoint to which Traccar will transmit the POST requests containing our notification, as it fires. By the way: did you notice that the position was reported via OwnTracks? We submitted an OwnTracks protocol decoder to the Traccar project a year ago, and it can be used directly from the OwnTracks apps in HTTP mode.

enter

The Traccar configuration for this is done in conf/traccar.xml in which I can configure position forwarding and/or event forwarding.

<!-- position forwarding -->
<entry key='forward.enable'>true</entry>
<entry key='forward.json'>true</entry>
<entry key='forward.url'>http://127.0.0.1:8840/evpos</entry>

<!-- event forwarding -->
<entry key="event.forward.enable">true</entry>
<entry key='event.forward.url'>http://127.0.0.1:8840/evpos</entry>
<!-- <entry key='event.forward.header'></entry> -->

(Until Traccar 4.0 I could add additional parameters to the HTTP POST using event.forward.paramMode.additionalParams, but that feature was silently removed.)

If you prefer, Traccar can forward positions using query parameters: we can configure this by a disabling forward.json and specifying the parameters we’re interested in.

<entry key='forward.enable'>true</entry>
<entry key='forward.url'>http://127.0.0.1:8840/positions?id={uniqueId}&amp;lat={latitude}&amp;lon={longitude}</entry>
<entry key='forward.json'>false</entry>         

(And because I hear you asking: the &amp; are actually required as we’re adding an ampersand between each query parameter and an ampersand is formatted as &amp; in XML.)

The list of possible query parameter values which can be interpolated I’ve taken from the source:

  • {name} is the name of a device
  • {uniqueId} its unique identifier
  • {protocol} the protocol through which a position was reported, e.g. "owntracks"
  • {fixTime} the time of fix
  • {latitude} and {longitude} the latitude, and longitude respectively
  • {altitude}, {speed}, {course}, and {accuracy} should be self-explanatory
  • {address} the reverse-geo-coded address if available

If you configure forward.json to be true, the query-string GET parameters are not substituded; instead a body containing a JSON payload is POSTed to the forward.url.

We have a small utility named from-traccar which implements an HTTP server which republishes incoming positions and events to an MQTT broker.

Why MQTT? Well, because we do lots of good things with MQTT.

GPS, OwnTracks, and Traccar :: 14 Sep 2018 :: e-mail

All I wanted for Christmas in 2009 was a Sonos. Almost nine years have passed since I purchased the first S5 player (they’re called differently now), and we enjoyed the system so much, that we recommended it to quite a number of friends and acquaintances who’ve also bought Sonos equipment. Sometimes more of it, sometimes fewer parts, but Sonos it was.

Then came the time when we got miffed about the “new” and “improved” UI on the Sonos mobile apps on iPhone and iPad. To us the apps became almost useless, and I got the (probably incorrect) impression that each incantation was completely different from the previous. That bugged all of us here at Casa Mens, but I put it down to “getting old and farty”.

I got pro-actively upset last year, when the apps started informing me I’d need to create a Sonos account. I didn’t want a Sonos account and certainly did not believe that my “listening experience” would improve from having an online account.

I really got upset when, on the weekend, I couldn’t play music because the apps required updating, but wouldn’t do so without me having an account. OK, I thought to myself: don’t be such a wimp. That one more account won’t really hurt will it.

It does. And I am thoroughly angry.

The next day, I decided to actually log into the sonos.com site with the credentials I created, and I will admit I was shocked (yes, me, I’ve been on the Internet for a few days) to see some of this.

First of all, Sonos knows when I’m at home and when I’m not. Of course they know, but it’s none of their business, and even less so to record and store that information. Not only that, but they also tell me how much other people listen to their music on average. What’s that supposed to do? Show me theirs is bigger than mine?!

They also know what I listen to. It’s none of their bleeding business. That’s precisely the reason we have most our music as MP3 stored on a NAS at home. I expected only us to be privvy to that information.

When was one of us at home listening to music? They know that too.

I told the wife about this, and she was livid. Her exact words were “They know when I’m on the crapper in the bathroom putting on makeup?!?” Yes, dear, unfortunately they do. It’s my fault though because nine years ago I labelled the players by where they’re located; I thought it’d be practical, but I see I should have chosen names like 7354e2055eb803b3b4ccd7c2d317a064 to better protect our privacy. Please forgive me!

Oh, dear Sonos people, how long was the total playing time in my household last week? I’m sure you can tell me that too. Thank you. And I’m sorry I listened to 5% less than last week; I’ll try to improve on this.

The Sonos privacy page is full of it. Text. Lots and lots of it. Sometimes I wish I were a lawyer. I read it top to bottom. It’s a shame most people probably won’t have the pleasure of studying it. If you don’t, at least search for opt out and do that.

I opted out and the data no longer shows up on the Web page when I login to Sonos. Whether or not the data is being transmitted I do not know. What I also don’t know is why my account had this enabled; it appears as though others’ have this disabled by default. Is it because they’re newer to the game than I? I’ll never find out.

One passage from the “privacy page” is adorable:

you will not be able to opt out from this [Functional] data collection, sharing and/or processing if you want to continue to use your Sonos Products.

These two “frequently asked questions” are also interesting:

Do I need to register my Sonos products for them to work? Yes. This is fundamental to providing a secure internet–based home sound system.

How do I delete my personal data from Sonos and what are the consequences? You can always send us an email via privacy@sonos.com or contact our Customer Care team and request that your data be deleted. Please note, however, that by deleting your personal data your Sonos products will stop working.

If I lived alone, I would now show you a photo of all my previous Sonos equipment in the boot of the car, ready to be given to somebody who wants it, and that may still happen. I don’t live alone, and we’re still thinking about how to handle this situation for ourselves.

In case you follow me on other parts of the internets you’ll know that privacy has become important for me in the course of the last quite a few years. Call me naive for not having found out sooner, if you like, but this angers me beyond belief, and I am hugely disappointed by a company I previously admired.

Needless to say, I will begin apologizing to friends of ours who followed my advice, and I will warn them.

Reactions to this post:

  • “with the last update it was mandated to create an account with Sonos for “security” reasons. Since that moment I have removed all Sonos equipment from our house, sold it and moved to Naim and Bose speakers. Whiskey Tango Foxtrot Sonos…”
  • “After years of Sonos ownership I’m now in the market for different speakers.”
  • “Some years ago I also had a Sonos test setup at home. Somehow, I got a bad feeling about speakers directly connected to the internet, so I bought Bose stuff. Lost much convenience but won privacy.”
  • “I am @Sonos customer since 2013 or so, and, yes, I have no use whatsoever for that useless login, either.”
  • “Also, purchased the last Play:5 as a used model, because I do not want devices with microphones for this purpose (have no use for digital assistants at all, I just want good speakers).” – Yes, read their privacy statement on listening devices.
  • “re your Sonos blog-post: I hit the breaking point in September too, looked around for options and purchased a HifiBerry with case. Add RPi and my own speakers and I have better stereo sound, albeit less pretty.”

Update

I discovered a “Sonos community” and found this tidbit there which pretty well matches my history. One poster writes:

I don’t want a Sonos account. I have enough accounts out there already. I paid a lot of money for the hub and speakers and now my usage is being held hostage to Sonos’ desire for that fat data harvesting loot? The last couple of updates had a “skip” button re: Sonos account, and that was annoying but acceptable, barely. Forcing an account is just **. I bought my first Sonos speaker, a Play 5, on November 8th 2009. I didn’t have an account then. I bought my second on November 24th of the same year. No account. I bought my third in September 2010, no account. Your condescending explanation clarifies Sonos motivation for login somewhat. I don’t care. If Sonos has explained it clearly before forcing it I would have agreed, if grudgingly, but I have to hear it from some snarky tool in a forum?

whereupon somebody responds:

Yes, you did have an account, Sonos has always required you to have an account. Here’s how it worked: Your initial purchase required registering to an email address, which became your account. Each unit after that was assigned to the account automatically. They have recently replaced the automatic assignment in favor of requiring account information to prevent unauthorized devices from connecting to your system. This has nothing to do with data collection, they’ve already been collecting your data for years now.

They’ve been collecting my data for years now.

Sonos :: 11 Sep 2018 :: e-mail

When Ton Kersten asked me a few weeks ago whether I’d like to prepare a home automation workshop to be held in Utrecht, I quickly said yes.

It’s been four and a half years since I started using openHAB, and I haven’t regretted it once. The system has been very reliable, and I’m still running an early 2016 version. Why upgrade?

Meanwhile a lot has happened in the world of openHAB including a few very large new releases, so there are a lot of new things for me to learn and most of it is fun. Most of it.

I’m having a lot of fun putting together a nice demonstration environment for the workshop, and I’m using Ansible to set up virtual machines participants will use in the labs. Apropos labs I wanted participants to be able to connect a real physical switch and a real lamp, but investing in 20 Homematic CCU2 or in 20 Z-Wave sticks would be prohibitive, so we arrived at an alternative and fun solution:

These are Wemos-D1 mini (ESP8266) fitted with button shields (the physical button) which Ton soldered together, and they have an on-board LED (the physical lamp). The devices will be speaking MQTT with openHAB (yes, we’ll discuss MQTT as well), and the firmware’s been flashed onto them. I’ve just completed writting all the exercises we’ll be doing with a number of different openHAB bindings.

It’s impossible to cover all details of what openHAB has to offer, but I believe we’ll get to know most of it. Also, my focus will be on keeping data within the confines of your house/office; we’ll touch upon external services, but the Intranet of Things is what it should be. :-)

Care to join us? The workshop will be in Utrecht (that link contains the description as well) and in the English language, and I can tell you I am very much looking forward to that event.

Let there be blinkenlights!

openHAB :: 23 Jun 2018 :: e-mail

Other recent entries