1722


I ordered my first Apple Watch the day they went on sale, April 24, 2015. I was slow enough completing the process that it didn’t ship for a couple of weeks, so I didn’t get the watch until early May.

I’ve worn it, and later the Apple Watch 4 I bought to replace it, every day since. Initially I closed some of the rings some days, but rarely all three rings in a day. Beginning in August 2015 I started closing all three rings every day.

I’ve closed all three rings every day for 1,722 days. One thousand, seven hundred and twenty-two days.

That streak is not at an end, but the “official” record of it on my iPhone is in jeopardy. On Wednesday, three days ago as I write this, my iPhone, a now five-year old iPhone 6S Plus, freaked out and started asking me for my iCloud password repeatedly. After entering that password, I discovered I had to re-enter my mail password, re-setup Authy, and sign back into other apps that sit behind passwords.

At the time I found this annoying, but didn’t really think too much about it. Yesterday afternoon I realized my Apple Watch was no longer syncing with my phone. Looking at the Activity app on th phone I could see a partial day recorded for Wednesday, and nothing at all for Thursday or Friday. It felt like I’d been punched in the stomach.

I immediately rebooted my phone and then my watch. Still no connection. I called Apple Support. Within minutes I was talking to a very helpful woman who gathered some data and had me try restarting my devices again. When that didn’t work she escalated the case to a higher level of support. The next woman and I spent more than 90 minutes on the phone together. By the end of the call she had opened a ticket with engineering, and had captured some log files from my phone. I also sent her several screen shots from the phone and the watch. We also did a full back up of the phone to my computer, using a password so that the health and activity data would be backed up too.

I’m now waiting for a return call on Monday, hopefully to set up a call with the engineering folks. Since the end of yesterday’s phone call, I’ve discovered what I think is the problem: the iPhone’s Bluetooth is not fully functional.

It is only paired with my Airpods. It shows an entry called “Apple Watch”, but there’s no “I” icon to allow seeing more information about that connection. When I try to pair the iPhone and my iPad, the iPad sees the phone, but cannot connect to it. The phone doesn’t see any nearby Bluetooth devices.

From the phone I can “find my watch”, but the reverse is not true. From the watch I cannot ping the phone to locate it.

Whatever happened Wednesday morning about 11 am has damage/crippled/borked the Bluetooth interface on the phone. My hope is that engineering can somehow reset that interface in a way that doesn’t lose my activity data.

I asked during the call how long the watch will store data without syncing to the phone. The answer is: until it runs out of storage, usually about 7-10 days. My watch has 5 GB of used space and 7 GB of free space. There is about 3 GB of music on the watch that I would instantly remove, however, that requires that it be synced with my phone.

It is not possible to pair the watch to a new phone with out wipingg it clean—losing all the data it has. If that were possible I’d go buy a new iPhone today, and restore the backup to the new phone and then pair the watch.

On my iPhone the activity history shows 1,719 days with all three rings completed. The watch has data showing 3 more days (Wednesday, Thursday, and Friday), bringing the (potential) total up to 1,722 days. By Monday that potential number will be 1,724 plus Monday.

I am on tenterhooks waiting for Monday’s call. Both tech people were impressed with the length of my streak, and the second one in particular is determined to keep it if at all possible. I fervently hope she can pull that off.

Why Using Your Gmail Address as Your Username is a Bad Idea


Gmail, or Google Mail, was famously announced on April 1, 2004. April Fool’s Day. Free email with unlimited storage. Initially you had to be invited to get an account. I desperately wanted to have a Gmail account and finally managed to cage an invitation through Matt Haughey, whom I knew of through his web site A Whole Lotta Nothing. I got my first Gmail address in June 2004, and I’ve been using it to one degree or another ever since.

There are email standards. One of those standards is that, while the local part of your address - the bit preceding the at sign - can contain a dot (.), the dot cannot be the first or last character, and it cannot be repeated, e.g, joe..user@example.com. The local part of the address needs to be unique with in the domain. You can’t have two bob@example.com email addresses that go to two different people.

Google breaks this rule in a subtle way. They allow any and all variations, involving dots, of your local part to resolve as your account. An example will make this clearer. Joe User signs up with Gmail. He picks joe.user@gmail.com as his address. He will get mail addressed to joe.user@gmail.com. He will also get the email addressed to any of these variations:

joeuser@gmail.com
j.o.e.user@gmail.com
joe.u.s.e.r@gmail.com
j.o.e.u.s.e.r@gmail.com

And so on. Google says “dots don’t matter in Gmail addresses”.

If someone accidentally adds dots to your address when emailing you, you’ll still get that email.

On the surface, this is a nice idea, but in implementation it proves to be massively annoying.

Why Standards are Important

By not following the email standard for unique local parts to email addresses, Google has set a trap for every other Internet business who allows email addresses to be used as user account names. Unless the developers at Example Incorporated code their user on-boarding process to prevent any variation of an established account, using Gmail as the username, where the variation involves adding or subtracting dots within the local part of the address, then they will end up allowing what appear to be two (or more) distinct accounts to be created on their site, the resolve to only one Gmail address.

For example: Joe User signs up at PayPal using his joe.user@gmail.com email address for the username. He adds his phone number and sets a password and he is good to go. Then one day he gets an email stating, “You added your phone number to your account”, which lists a phone number poor Joe has never seen before.

PayPal allowed another person named Joseph User to create an account using joeuser@gmail.com as the username. To PayPal the two accounts are unique. joe.user is different than joeuser. Unfortunately, Google sees joe.user and joeuser as variations on the same email account. Joe User will now get emails from PayPal that are meant for Joseph User. Joseph won’t understand why he isn’t getting his PayPal emails.

Because additional information is needed to reset the password for the other account, and the prompts for that information obscure the alternate contact information for the other user (which is good), there is no way to reach out to the other user to let them know that their email address isn’t what they think it is - unless that other email address is Googlable enough to find out enough information to try to contact the other user via other means.

My Approach to this Mess

My name is not that uncommon. There are several other people in my town of 53,000 who share my first and last name. I have no idea how many people nationwide are named Mark Nichols. I do know that there are enough that I get a continuous stream of emails using the dot-less variation of my Gmail address. I get hotel reservation confirmations and bill folios. I get reminders of dental appointments, and car service appointments. I get emailed copies of Lowe’s purchase receipts. I get access to shared Google Docs, and invitations to weddings and other events. All because someone at Google 16 years ago though it would be cool to “save people from typos” and decided to allow email address local parts to be non-unique within the gmail.com domain.

Since there is no way every other business, organization, what have you, on the Internet is going to carefully vet email addresses used as usernames to ensure that two seemingly unique Gmail addresses aren’t in fact merely dot variations, then you should not use your Gmail address as a username. You’ll still get emails sent to dot variations of your address, but if you know your account username is NOT your Gmail address, then you won’t have momentary panic when you get an email confirming your week long hotel stay in Miami.

I’m starting the tedious process of visiting each online account that uses my Gmail address for the user name, and changing that user name (if possible) and changing the associated email address. Fortunately I have all of my accounts stored in a password manager, so I should be able to identify 99% of them.

I’m retiring my Gmail account as the email I use to sign up for things. I’ll create a new account on my personal domain for that. Hopefully this will prevent 30 minutes of late night panic about an email from PayPal announcing that I’ve added a phone number to my account that I’ve never seen before.

A Script to Monitor SSL Certificate Dates


I’ve been using Let’s Encrypt to provide SSL certificates for all my domains and subdomains for a couple of years now. Let’s Encrypt certificates are only good for 90 day, and with 17 certificates to manage, renewing them all manually was a pain. So I put the commands into a cron job (actually several cron jobs) that renewed each certificate once a month. The cron job mailed me when it was done so I knew which certificates had been renewed.

Recently my web host, WebFaction, started offering built-in Let’s Encrypt certificates - ones that I would not have to renew myself. At 40 days to go they automatically generate a new certificate to replace the old one. This is great, but I’ve lost some visibility into the process.

I wanted a way to list all my SSL certificates, and their current date ranges. Each SSL certificate has a date and time they become active, and a date and time when they expire. This command will return those two pieces of information for the domain example.com.

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

For example:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null |
openssl x509 -noout -dates
notBefore=Nov 28 00:00:00 2018 GMT
notAfter=Dec  2 12:00:00 2020 GMT

You could create a bash shell script that was just 17 instances of that command and call it a day. Inelegant, but functional. A better solution would be to have a file of domains to check, and a script to do the checking.

Here’s part of my file.

zanshin zanshin.net
books books.zanshin.net
geek geek.zanshin.net
health health.zanshin.net
music music.zanshin.net

And here’s the script.

#!/bin/bash

set -e
set -o pipefail

###
# certcheck displays the good from and good until dates for SSL certificates.
# It expects a file (.certs) that contains a list of domains to query. Each
# entry in the file has two parts, the name to display, and the domain to
# query. The two entries are separated by a space.
#
# .certs file example:
# example example.com
# www www.example.com
###

echo -e "certcheck\n"

filename=".certs"
while read -r line; do
    # Parse input into an array, using space as delimiter
    certarray=($line)

    # Get the name and the domain
    name=${certarray[0]}
    domain=${certarray[1]}

    # Get the certificate start and end dates
    result=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -dates)

    # Muck with internal field separator (IFS) to split $result on new line
    oldIFS=$IFS
    IFS=$'\n'
    datearray=($result)
    IFS=$oldIFS

    startdate=${datearray[0]}
    enddate=${datearray[1]}

    # Print the results in columns
    printf "%-15s %-30s %-30s\n" "$name" "$startdate" "$enddate"
done < "$filename"

echo -e "\nfinished"

The script is a simple loop. For each line in the file it does the following steps:

  • It parses the line using space as the delimiter so that $name contains the label to use, and $domain has the domain to query.
  • Using the value in $domain the open_ssl command is run. The two lines of output are captured in $resutl. The key part here is that it is two lines of output.
  • In order to put the two date time stamps into separate variables, the “internal field separator” or IFS has to be set to the new line character, \n. So that IFS can be returned to it’s original value it is saved in oldIFS first.
  • With the start and end dates now in $startdate and $enddate respectively, a printf command can be used to create the output. printf is used as it provides better control over formatting than echo would.

That’s it. Loop through the file, use the domain to run the open_ssl command and capture the result. Split the result on the new line character. Print the results, one per line, neatly formatted into columns.

Here is an example of the script’s output.

certcheck

zanshin         notBefore=Feb  2 19:30:06 2020 GMT notAfter=May  2 19:30:06 2020 GMT
books           notBefore=Jan 24 11:13:48 2020 GMT notAfter=Apr 23 11:13:48 2020 GMT
geek            notBefore=Jan 23 07:36:14 2020 GMT notAfter=Apr 22 07:36:14 2020 GMT
health          notBefore=Jan 31 14:24:25 2020 GMT notAfter=Apr 30 14:24:25 2020 GMT
music           notBefore=Mar 18 12:09:18 2020 GMT notAfter=Jun 16 12:09:18 2020 GMT

finished

Any time I’m curious about the state of my SSL certificates I can run this script.

WFH


WFH. Work From Home. Or, as I think of it at times, What’s fucking happening?

10 days ago, as I write this, was the last day I worked at my office. The university where I am employed scheduled a test work remote day on Thursday, March 12th. By the end of the day it had been extended to include Friday. By the end of Friday we were all told to work remotely for the foreseeable future, at least through the end of the semester.

As an IT professional my job is well suited to remote work. There are entire IT companies that are 100% distributed. Last autumn, due to some HACV work in my building, that uncovered asbestos, we all worked from home for a week. That was fun actually. Going from a work-in-the-office with other people setting, to working-at-home by yourself, as been an adjustment. Knowing that this is reality for the next two, three, or more, months, puts an entirely different spin on it.

I’m an introvert, and I like things to be just so. Working from home appeals to those aspects of my personality. I also appreciate some amount of what I call “social friction.” The act of interacting with other people, in person, feeds some part of me. I miss that part of being “at” work. I don’t miss the noise and interruptions, the smells, and wonky temperature from the HAVC system.

I am incredibly fortunate that my wife, Sibylle, has a very similar temperament. She is also an introvert, and is someone content within herself. She is fortunate enough to have found a way to make her piano studio work remotely. We have found a rhythm that works for us, here in our home.

I get up at my normal work day time. I shower and get dressed as if I were going to the office, and then have breakfast. Then I come into my home office and start my day. At lunch time I leave work and go out in the rest of the house for lunch. I have eaten lunch at home most days for over a decade, so that part of my daily routine hasn’t changed. After lunch I return to work until the end of the day when I come home. My wife has her morning routine and then goes to her piano studio on the lower level of our house, and works on lessons and video critiques for her students. During the day we exchange emails and texts, exactly like we did before COVID-19. Keeping as much normalcy as possible has made this transition easier for us. It has helped to ground us at a time when everything seems ungrounded and out of control.

The coming weeks and months will be interesting and challenging. I think Sibylle and I will be able to navigate those challenges and find ways to care for ourselves. I hope the world at large can do the same thing. I fear for many that the sudden upending of regular life, will prove devastating and difficult to adjust to. Our society, the world’s society, will forever be different following this pandemic.

For now, I’m, we are, working from home, wondering what’s fucking happening.

Who Needs dig?


The dig command is useful but can overwhelm with its output. This utility website simplifies the process and the results.

One Page Dungeon


January 2020 Flotsam


Links, tweets, and other random things that caught my attention in the past month.

How to Rip Blu-Rays and DVDs in 2020

7 Questions Sysadmins Should Ask a Potential Employer

Sway Window Manager Using Nord Colors

Every Default macOS Wallpaper in 5K

[1920s Lyon and Healy Style Carved Top Mandolin]( “Every Default macOS Wallpaper in 5K” “1920s Lyon and Healy Style A Carved Top Mandolin”)

Building a Simple VPN with WireGuard and a Raspberry Pi

S3 Email

Shell Style Guide


Google’s shell style guide.

How to Block Bloglovin


Last night, while reviewing the visitor logs for my site, I noticed several hits from frame.bloglovin.com. I’m always curious to see where visitor to my site are coming from, so I clicked on the link that had brought them to my site and saw this.

BlogLovin’ Subscribe image

My initial reaction was WTF?

There’s no obvious way to dismiss that subscribe dialog, but when I clicked on the site behind it the dialog went away. The page behind it had this as its header.

BlogLovin’ Frame image

They aren’t scraping my content and claiming it as theirs, but they are presenting it through their site, with their header. I was not pleased.

A quick search led me to a couple of articles about BlogLovin’. The verdict is that, while perhaps not 100% sketchy, they are pushing it. It appears they add comments, through their site, to my content. The Ultimate Guide to BlogLovin’ actually reversed their standing on the service. Over at BlogLovin' is Now Stealing Your Posts there is evidence that BlogLovin’ is actively claiming content that isn’t there’s.

Toward the end of the second post there was reference to how to block BlogLovin’ on Nginx using $http_user_agent and a link to a (now defunct) article about doing the same with Apache based servers.

I did another search and learned how to block access to my site by testing the User-Agent property in the request. Here’s a sample of the code to be placed in the .htaccess file.

<IfModule mod_setenvif.c>
  SetEnvIfNoCase User-Agent (bloglovin) bad_user_agents

  Order Allow,Deny
  Allow from all
  Deny from env=bad_user_agents
</IfModule>

This test is case insensitive, and since the matching string isn’t prefixed with a ^ the string can occur anywhere in User-Agent.

There have only been five total visits to my domain through BlogLovin’, all within the past week. Roughly a week ago I resurrected a long dormant subdomain, and the scraped content was all from that site. I added the htaccess directive to my main domain, and to the subdomain that was being scraped. Now I’ll have to wait and see if any 403 errors are produced.

It’s self-entitled liberties like this that make the World Wide Web frustrating at times.

If you want to keep up with my publishing, click the RSS icon at the bottom of the page and add me to your RSS feed.

JetBrains Mono


My new favorite monospaced font. I particularly like the increased “x height” or how tall the lower case letters are in relationship to the upper case.