Matthew Ernisse

July 12, 2018 @20:47

I enabled HTTPS on this website just under a year ago. If you follow my blog you know that this is a static website, and since there appears to be a bit of an uproar in the web community over HTTPS right now I figured I'd simply weigh in.

Do you need HTTPS for your website?


There are lots of good reasons for this, and not many reasons not do it but the major point that resonates with me is not the risks to your website, but the risks to the general Internet at large. Actors (both malicious and benign) can inject content into any HTTP served site and cause the web browser of their visitors site to do... essentially whatever they want. This doesn't have to be targeted at your site, anyone in the middle can simply target ALL HTTP traffic out there, regardless of the content.

This isn't a user agent (browser) problem, this isn't a server problem, anyone with access to ANY part of the network between the server and the user agent can inject anything they want without the authenticity provided by TLS.

HTTPS is Easy, and for most it is free. It also allows HTTP/2 which is faster (even for static sites like this one which uses HTTP/2). Really it is. If you aren't convinced let me also point you at Troy Hunt's excellent demo of what people can do to your static website.

April 06, 2018 @14:30

I had occasion today to install some updates on one of my macOS systems and found myself inconvenienced by a number of applications adding a pile of dock icons without asking. I don't keep much in the dock on my systems preferring to use clover+space to launch applications and I don't think I have touched the dock layout in literally years at this point so I went searching for a solution.

Clean Dock

From chflags(1) the 'schg' flag makes a file system immutable, meaning not even the super-user (root) can alter it.

A quick cleanup of my dock and chflags schg on ~/Library/Preferences/ seems to have prevented further changes by installers.

You will have to chflags noschg the plist file to make any changes to the dock stick in the future.

January 02, 2018 @11:36

It seems like the blog is turning into an alternating stream of screaming about things Apple is doing wrong and gushing about how great the UniFi line of products are from Ubiquiti... I have a back log of ideas for things to write about other than those it just seems like life keeps getting in the way and and out the other end either a rant or praise just naturally flows.

I suppose it is also easiest to write about the things that have most recently consumed a few hours of your life. I'd write about how I just re-wrote the entire website generation code in Jinja2 and Python3 but that's not really all that interesting as it was basically drop-in.

So rolling back to things that I have worked with recently, you might remember this post from just before the holidays wherein I fought a bit with the two UniFi softwares to get them to use the same SSL certificate. I also that hinted that this was coming over here where I talked a bit about the experience of extending my UniFi WiFi network infrastructure to my office at work.

I bought the UVC-G3 camera in the same order as the newest AP with plans of mounting it to my garage. If you saw my original post on setting up UniFi in the first place you may have seen on the map view that I have a detached garage. Having a view of the driveway, side walk and yard and a bit of the front is certainly useful but this is also the most challenging location that I intend to have a camera. Currently the uplink is over the WiFi connection between the garage and basement APs and if you have been following the weather it has averaged about 9°F up here so being an un-heated and un-insulated garage this is the most environmentally difficult spot I've got.

cam01 in place


I'm happy to report that the initial setup is very similar to the WiFi products. The controller software (apparently via a UDP broadcast) sees the cameras as they come up on the network and gives you the option to 'manage' the camera. As an alternative you can manually configure the camera to connect to your controller if they aren't on the same layer 2 network segment, or use the camera simply as an RTMP server. In managed mode the whole process is very similar to adopting a UniFi access point. Once you have the camera managed it will upload any new firmware that it needs along with some base configuration and reboot it a few times. Once that has settled down you can move on to the rest of the setup for the camera(s). The configuration is pretty slick and easy. You end up with 2 tabs to go through and in most cases the defaults are sane.

UniFi Video Camera Setup


There are a couple options for recording as you might expect in NVR software. You can record always, never, on a schedule, or on motion. You also have a few options for retention, either time based, space based, or both. This ends up being pretty powerful and again the defaults are reasonably sane.

UniFi Video Recording Setup

The most amazing feature that is bundled in the NVR software (for free, without any cloud nonsense, and without any strings attached other than needing to buy their otherwise very good cameras I might add...) is the motion based recording. From the camera configuration screen you can configure your motion detection zone. Once you hit configure you are presented with a live view from the camera that you can draw a boundary box on.

UniFi Video Motion Zone Setup

After adjusting the border of the area you can smack 'test zone' and... more awesomeness happens. The zone border disappears and instead you get the same live image but now detected motion highlighted in red is overlayed and a nice histogram showing the trigger threshold versus the amount of motion in the frame appears (red is exceeding the threshold, green is not). This lets you fine-tune the motion trigger sensitivity and hopefully keep false positives low.

UniFi Video Motion Zone Test

Once you are happy with your new camera settings you can tell the software to alert you once a recording is triggered and you will be presented with a nice e-mail with a snap of the frame that triggered the event.

UniFi Video Alert Mail

Software Review

So the setup process was reasonably painless. The software installed just about as easily as the WiFi software and configuration was almost alarmingly easy. It has been almost a month since I've gotten this all up and running and I have to say it has been basically hands off. The iOS mobile application works great, and thanks to the power of VPN I can watch live video and recordings from just about anywhere without having any of this accessible to the Internet at large. The camera itself uses h.264 and uses a little over 1 Mbps worth of network bandwidth. So far there have been some hiccups in connectivity thanks to the weather and the WiFi link, but nothing major and nothing lasting more than a few seconds.

Traffic Graph For Garage

Hardware Review

The camera itself is really quite nice. Feels solid and comes with a very versatile mounting system. It was easy to aim and secure and has held up without complaint to our delightful weather thus far. The only irritation is that unlike most of the WiFi products, the cameras are still supplied with 24V 'Passive-PoE'. The garage switch does have 802.3af PoE, but I still have to use an injector in line. Not a huge deal here but I have some other locations where I'd really like to be able to power the camera via the local switch without more hardware in the line. There does appear to be a SKU for 802.3af capable UVC-G3 cameras but I can't actually find someone selling them yet. Perhaps in the near future they will appear and my only hardware gripe will go away. (fingers crossed)


So, tl;dr? Ok. This is just as rad as the WiFi, if you are in the market for a slightly more complex than 'consumer grade', powerful, and most assuredly not cloud connected surveillance solution then give this a serious look. You might be surprised. I sure was.

Edited: December 30, 2017 @14:10

Seriously, It Isn't a Problem

There has been a bunch of discussion around the 'revelation' that a software update to the iPhone was purposefully slowing older phones. While I believe that they should have been more transparent to users about what was happening, perhaps even adopting the UI from the MacBook for when the battery has aged and requires replacement (I had to do this about a year ago on my 2011 MacBook Pro, macOS will toss a little ! by the battery icon and of course System Report will give you further information).

macOS Battery Info

Sadly on this front Apple opted for a pretty inconspicuous note in their release notes for the iOS 10.2.1 update...

iOS 10.2.1 Release Notes

I don't see any of this as being a problem. Lithium cells age in charge/discharge cycles. The chemistry of the cell changes slightly as energy is pulled out of and pushed back into the cell. This change is irreversible. Most manufacturers rate their cells in the 300 to 500 cycle range after which it is typical to have lost 20% of the original capacity of the cell. One of the things that happens as the cells age is that the internal resistance increases, meaning essentially it becomes harder to get energy into and out of the battery. If we do a little back of the napkin math here suddenly this all seems very reasonable. If you charge your phone nightly from 50% (low for me, high for a lot of other people I know who always seem to be in the red at the end of the day) then you will be putting about 182 cycles on the battery per year. At this rate you will hit 500 cycles in under 3 years. At the time of writing the iPhone 6 is over 3 years old, the 6S is a little over 2, and the 7 (which I have) is a little over a year old. There is also some evidence that the harder you work the phone, the higher it will drive the internal resistance of the cell over the lifespan which might be what caused Apple to decide to throttle the CPU speeds on aged phones. The software only appears to throttle phones as battery capacity drops so the performance of the device can be restored by simply replacing the aged battery.

Which brings me nicely to the real point of this.

Non-Replaceable Batteries ARE A Problem

If Apple had never decided to go with a non user serviceable battery then this never would have been a problem. Battery getting older? No problem! The thing is, I can't lay all the blame for this at the feet of Apple. EVERYONE is doing this now. There is nary a flagship device on the market that lets you pull the battery out. Even my previous phones, the oft scoffed at BlackBerry Passport and BlackBerry Classic had non-removable batteries. It is understandable that not having to accommodate removable batteries makes design and construction of the phones easier, is less parts to manufacture and assemble and can certainly lead to smaller and lighter devices but I believe that we have reached the point where the devices are small and light enough. With the resurgence of the larger phone and 'phablet' form factors, surely you can take the hit in the profit margin to put a replaceable battery on a $1000 device... right?

On the bright side it seems that (if you trust a reddit post) Apple charges a fairly nominal fee to replace the battery in your phone. Honestly it is about what the battery would probably cost you retail, but I can't help but feel like this whole thing could have been avoided if they had just made the battery removable.


I think Apple is doing the right thing. Bullet 2 in the article should really have been a no-brainer in the first place but it is good seeing the recognize that some things you can't just hide behind the UI and hand waving. I still would really like this trend of non user serviceable batteries to die in a fire though.

December 18, 2017 @20:48

I run UniFi to manage my various Ubiquiti access points, now across multiple sites and I try to setup everything with HTTPS only and with certificates signed by my internal CA. I followed for the instructions provided by Ubiquiti for UniFi back when I installed it.

Recently I added UniFi Video into the mix and am running that application on the same VM as UniFi (yeah, the names of the applications are a bit confusing) so I wanted to use the same certificate since the hostname and IP are the same.

The problem with this is that in the Ubiquiti documentation you use the Java keystore to create a CSR and sign it. This means you never get the private key so you can't import the resulting certificate into a different keystore. You can however import a keystore entry into another keystore. So this is how I used that to work around the lack of a private key.


If all you want to do is use a custom certificate with UniFi Video and not copy the certificate from UniFi you can look here, which are the instructions that I based the installation phase of this procedure on.


I have the software installed on a VM running Debian 8, with the following versions of the Ubiquiti software installed from their apt repositories. The process should be similar for other distributions and versions, but the paths are likely to be different so go poking around before trying this.

> dpkg -l unifi\* | awk '/^ii/ { printf "%s - %s\n", $2, $3 }'
unifi - 5.6.22-10205
unifi-video - 3.8.5


Since I use Puppet for configuration management, I built the VM using my normal Debian PXEBoot installer which automagically configures the new system with Puppet as a postinst task. The entire manifest set will configure all the base things (auto-updates, Icinga monitoring, NTP, DNS, SSL Certificate trust, NFS, LDAP and more!), but this manifest is all it takes to get a combined UniFi and UniFi Video system (with auto-update). It is really nice when software plays nice together.

# Setup the UBNT NMS for the UniFi wifi gear.
class unifi_nms {
    include 'apt'
    apt::source { 'ubnt':
        location   => '',
        repos      => 'ubiquiti',
        release    => 'stable',
        key        => '4A228B2D358A5094178285BE06E85760C0A52C50',
        key_server => '',
        include_src =>  false,

    apt::source { 'unifi-video':
        location => '',
        repos => 'ubiquiti',
        release => 'jessie',
        key => '795C6027520643F0BA02297F97B46B8582C6571E',
        key_server => '',
        include_src => false,

    package { 'haveged':
        ensure => latest,

    package { 'unifi':
        ensure => latest,
        require => [

    package { 'unifi-video':
        ensure => latest,
        require => [


In short the process is:

  1. Stop unifi-video
  2. Move the existing keystore out of the way
  3. Export the private key and certificate from unifi
  4. Convert the certificate to the appropreate formats and move into place
  5. Start unifi-video

This is the tricky bit, a few things worth documenting for clarity

For UniFi

For UniFi Video

You may want to unmanage your cameras first, the directions are a bit unclear in this exact case and I chose to.

This is what Worked For Me

Stop Services and Backup Keystore

> sudo invoke-rc.d unifi-video stop
> sudo mv /usr/lib/unifi-video/data/{keystore,keystore-orig}

Export Certificate and Key

>sudo keytool -importkeystore -srckeystore /usr/lib/unifi/data/keystore -destkeystore unifi.p12 -deststoretype pkcs12
Importing keystore /usr/lib/unifi/data/keystore to unifi.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias cert1 successfully imported.
Entry for alias unifi successfully imported.
Import command completed:  2 entries successfully imported, 0 entries failed or cancelled

Use the UniFi password for all 3 password prompts or keytool will complain.

Now convert the PKCS12 store into DER encoded files with OpenSSL.

>openssl pkcs12 -in unifi.p12 -nokeys -clcerts -passin pass:aircontrolenterprise | openssl x509 -outform der -out unifi_cert.der
>openssl pkcs12 -in unifi.p12 -nocerts -passin pass:aircontrolenterprise -passout pass:123456 | openssl pkcs8 -topk8 -inform PEM -passin pass:123456 -outform DER -nocrypt -in unifi_key.pem -out unifi_key_decrypted.der

Prepare and Install Certificate and Key

Now these get moved into place as specified by the documentation...

>sudo rm /usr/lib/unifi-video/data/{keystore,ufv-truststore}
>sudo rm /usr/lib/unifi-video/conf/evostream/server.*
>sudo mkdir /usr/lib/unifi-video/data/certificates
>sudo mv unifi_cert.der /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
>sudo mv unifi_key_decrypted.der /usr/lib/unifi-video/data/certificates/ufv-server.key.der
>sudo chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates
>sudoedit /usr/lib/unifi-video/data/


>sudo invoke-rc.d unifi-video start


If all goes well you should see something like this in /var/log/unifi-video/server.log:

1513647038.643 2017-12-18 20:30:38.643/EST: INFO   >>>> unifi-video v3.8.5+a24428.171030.1542 is starting in main
1513647038.713 2017-12-18 20:30:38.713/EST: INFO   Loading camera keystore from /usr/lib/unifi-video/data/cam-keystore... in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO   Creating a new app key store and import custom certs in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO   Importing custom app key/cert pair in keystore in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO   importPrivateKey: loading keystore /usr/lib/unifi-video/data/keystore in main
1513647038.793 2017-12-18 20:30:38.793/EST: INFO   importPrivateKey: loading key /usr/lib/unifi-video/data/certificates/ufv-server.key.der in main
1513647038.835 2017-12-18 20:30:38.835/EST: INFO   importPrivateKey: loaded cert chain /usr/lib/unifi-video/data/certificates/ufv-server.cert.der - 1 certs found in main
1513647038.854 2017-12-18 20:30:38.854/EST: INFO   importPrivateKey: stored the key in main
1513647038.854 2017-12-18 20:30:38.854/EST: INFO   Custom app keystore created and loaded sucessfully in main
1513647038.863 2017-12-18 20:30:38.863/EST: INFO   Loading app keystore from /usr/lib/unifi-video/data/keystore... in main
1513647038.877 2017-12-18 20:30:38.877/EST: INFO   loadTrustStore load existing file: ufv-truststore in main
1513647039.064 2017-12-18 20:30:39.064/EST: INFO   SSL Keystore initialized in main
1513647039.145 2017-12-18 20:30:39.145/EST: INFO   Controller starting in main


Success Screen Shot

Now you can re-manage your cameras. I suspect since cam-keystore is left in place that un-managing and re-managing your cameras may not be needed but I'm going to err on the side of caution here.

All of my previously configured settings for the camera were re-applied (recording settings, motion zones, etc..), so it was only like 3 extra clicks for a little bit of safety.

Edited: December 13, 2017 @20:47

I'm not currently subscribed to Patreon largely because when money on the Internet is concerned I have a long wait and see what happens cool down. There are a lot of Internet start ups that come and go like a flash in the pan and a lot that get bought quickly and morphed into something else. If you are going to have some way to charge me money, I need some stability. I have no problem being an early adopter, as long as you don't have a link to my bank account or credit card (even through a third party).

Seems like a safe and sane option to me.

That being said, since Patreon seemed like it was gaining traction, espeically with people that I respect who are creating things, I started collecting links to the Patreon profiles I was interested in backing in my private wallabag instance with the intention of eventually subscribing and throwing some beer money into the hat.

Of course Patreon goes and screws it up, so I'm at the very least putting that idea on hold.

Dave Jones of the EEVBlog just posted a good video about what they are doing from the creator's point of view.

You can go and read Patreon's explanation and decide for yourself, but I get a huge waft of crap off this. I have a hard time trusting the direction this is going in and until that trust is restored I won't be giving them money.


I'll just leave this here...

December 11, 2017 @13:37


A while back I posted an initial review of iOS 11 and a follow up along with a what I admit was a bit of a rant about a beta of iOS 11.2.

The long and short of my complaints was basically:

I'm happy to admit that of the 6 or so grievances, the two that really hurt my daily usability of the device are fixed.

They also restored the force touch app switching on the iPhone 7 much to my delight.

Sadly... the Home Control bug seems to remain. At this point I'm going to stay away from anything HomeKit since I do not want to risk a stranger being able to control my home even with my phone locked.

Home Control WTF

Podcast app returned to form!

Not much to say, just works now. I was delighted the other evening while listening to King Falls AM when the next episode just started playing.

App Search, searches!

App Search Setting

I stumbled on this a bit accidentally. Sometime after I upgraded to iOS 11.2 I installed a new app (something I pretty rarely do). In doing so my natural motion is to into Settings and disable Siri and Search since it defaults to on (even when everything else is off...). As I ticked the switch to off I was shocked to see a new option appear! Turns out it does exactly what I want. My use the phone like clover+space on the Mac workflow is now back at my finger tips. Incidentally this is when I tried the force touch app switch and found it has been restored to my loving embrace. I'm sure my thumb will be thankful that the days of the double tap are numbered.


This is really the release that 11.0 should have been. I still think that Apple's release quality has suffered from their relentless pace of releases, but given the continual march of security updates and bugfixes I would still not suggest anyone lag behind the current version if they can reasonably help it. Honestly a little inconvenience of a crap release is nothing compared to a remote code execution vulnerability.

December 05, 2017 @22:51

This morning the UPS guy greeted me with a new Ubiquiti UniFi access point destined for use at work. I have been using a Mikrotik RB951-2HnD as a router and access point but I'm wanting to take advantage of 802.11ac various reasons so I ordered a UAP-AC-IW to replace the built-in Mikrotik WiFi. I'm still going to use the Mikrotik as a router and switch.

New AP!

To prep for the new AP I setup a new site in UniFi, re-created the network profiles and loaded in the IP range for the work segment of my network and the local RADIUS servers for WPA-Enterprise. I did this about a week ago so it was all ready for the big day. The other piece of business was making sure I had layer 3 adoption setup. I chose the DHCP option and setup the Mikrotik to hand out my UniFi server's IP as indicated.

[admin@bdr01] > /ip dhcp-server option export compact
# dec/05/2017 23:00:13 by RouterOS 6.40.5
# model = 951Ui-2HnD
/ip dhcp-server option
add code=252 name=proxy-pac value=\
add code=43 name=unifi-address value=0x0104c0a****

[admin@bdr01] > /ip dhcp-server network export compact
# dec/05/2017 23:01:46 by RouterOS 6.40.5
# model = 951Ui-2HnD
/ip dhcp-server network
add address=192.168.***.***/28 boot-file-name=pxelinux.0 dhcp-option=\
    proxy-pac,unifi-address dns-server=192.168.***.***,192.168.***.***\ gateway=192.168.***.*** netmask=28\
    next-server=192.168.***.*** ntp-server=192.168.***.***

New AP pending adoption

I was impressed with and a bit surprised by the whole process. The Unifi software was smart enough to realize that the new AP was located in the new site (I assume because I told it the network address for the new LAN range) and promptly dropped it in the list of devices for the right site. After pressing adopt and waiting for the firmware update and provisioning process I was greeted with an alert that confirmed that everything was working.

Old AP is now a rogue

The Mikrotik is now being seen as a rogue! A quick disable of the wlan interface in RouterOS and everything just jumped over to the new UAP-AC-IW AP! It's really nice when things just work like they say on the tin.

I really couldn't be happier with these things. I wrote a bunch about the setup at home before and I'm pretty happy to see the success continue.

Hopefully my luck will hold out...

Another new toy

👍 💯 🍺

November 28, 2017 @10:10

It shouldn't surprise anyone that the Internet is under attack, but if it does, or if you want to know what you can do about it read on.

Call Congress

  1. Demand Progress - They have a number of causes they are working on including Net Neutrality.
  2. The EFF - The OG defender of rights in the digital age.
  3. NY Times Video - What Is Net Neutrality
  4. NY Times Topics: Net Neutrality
  5. Wired - Here's How The End of Net Neutrality Will Change the Internet

The Internet can only succeed if it remains open and free. Billions of people across the globe rely on it and if we allow corporate profiteering to take over then we will stifle so many of the core values not only of the Internet (it really has no values, being a collection of interconnected, yet privately run networks and all..) but of society itself. Freedom of expression, peaceful assembly, the ability to protest and communicate, and to innovate are all things we've held dear as a people for much longer than we've had the technology to communicate.

I spent almost a decade working for an ISP back before the 2015 Title II classification of Internet providers. I watched the executives of said ISP and its brethren (it's a small world in the "string wires across the globe" business after all) work harder and hard to try to find ways to squeeze more revenue out of their customers. Data caps and pay-per-gigabyte plans were the envy of the American ISP, though customers were very vocally against it and the market isn't quite oligopoly enough to pull the trigger so the tactics switched to quieter changes. Things like search engine and browser hijacking to DNS query redirection, and general data collection.

I can tell you that the infrastructure was already largely in place back in 2010 to enact the horror stories of blocking, throttling and extortion of content providers that people are presently worrying about.

This isn't science fiction, or scaremongering. It's already sitting there. Waiting for marketing to put a nice spin on it and the lawyers to say it's not a liability to use it.

If we give this up... it may take us decades to undo the damage, not only to ourselves but to the world at large. While a global network of networks, a lot of the infrastructure people use every day is located here in the US of A or is owned by US based companies, so what we do has deep effects globally.

If you live in the US, please look at the links above and put pressure on your elected representatives or if you can afford it, why not buy a FCC board member... I hear Ajit Pai is already spoken for though.

Call Congress

Edited: November 14, 2017 @15:00

Screenshot from MacRumors

I feel like I should explain why this irks me so. Apple just made a change so drastic in the functionality of their user interface (remember that Control Center is supposed to provide you with quick access to common functions from anywhere within the operating system) that they feel the need to present the user with a modal pop-up dialog box explaining why the user's understanding of the effect of the action that they just took is wrong.

This is antithetical to good design. The user interface shouldn't need a system native dialog box that pops up to apologize for itself. It should be self-explanatory. The user's intent is clearly to turn off the radio, but Apple has decided to redefine what they think the user wants and then drool all over themselves to try to be "transparent" about it.

Lets get back to the part where the UI did what the user actually wanted, that was nice.

Dear Apple, This shit is still just WRONG. Stop it. Whomever let this out the door in the first place is bad at their job. Whomever has let this fix out the door is also bad at their job. Yours Truly, Matt

I think I'm mad, largely because I'm afraid this is indicating the direction that Apple is heading and that I'm going to have to get off the ride. I really don't want to do that. Linux on the desktop and phone is still a really terrible user experience.

November 04, 2017 @12:50

It's probably a testament to the iPhone that I even have these gripes. I was never much of a mobile web user before and compared to others I am sure I'm not much of one now, but I do look at things on my phone now more than I used to.

I'm going to pick on a couple sites in specific but a whole metric boatload of the mobile web seems to do this crap and I'm sure there are thousands of words hidden away in private wikis about this particular user experience pattern and how great it is at driving app engagement or some other complete steaming pile of naval gazing wrongness.

Sin The First: Modal

I recognize that most people like apps, I don't. I also get that website owners want to associate their website with their app (and I remember watching a WWDC talk wherein some of the iOS security features may require this association), so they toss the <meta> tag into their markup and viola, this crap happens.

App Whoring

Now I will admit that Apple has improved this behavior, it feels like these banners don't appear as often as they did in previous versions of Safari / iOS but it is still something that you should be able to turn off.

Dear Apple, Let us compromise for the sake of sanity. We can just add a toggle in -> Safari -> Advanced called 'Disable App Discovery' or some crap. Surely that isn't unreasonable or difficult?

Love, Matt

Sin the Second: Inline

I will give reddit a bit of credit here, they at least only seem to do this once. After you get the magic cookie that says you've made the obvious error of not getting their app they shut up. Unless you happen to be like me and periodically clean out your cookies and rotate your advertising identifier in the vain and silly hope that it makes it harder on the digital panopticon.

Won't you please consider our wonderful app

The part that bugs the crap out of me is how hard it is to hit that stupid link. Someone clearly doesn't actually want you to use their mobile website.


Oops! You clicked on something, time for some more disruptive and somewhat misleading 'user experience'. In this case 'Take Me Back' actually means 'Do what I told you and show me the thing I tapped on like I would expect you to do.' I guess that is probably too wordy to put in a button.

Sin The Third, Begging

This one has that whiff of desperate basement dwelling neckbeard all over it. Like seriously, my mom uses my app, so you really should too. I won't fix your computer if you don't download my app and rate it 5 stars in the app store.

imgur has their legs spread SO WIDE for you

Lets see... button in the header bar, overlay button in the bottom with bonus points of 'tiny dismiss tap target' and huge screen-sized ad inserted in the content.

Yep, they really would like you to install their app.

An Open Letter To Web Designers

Dear People Writing Websites, Knock this crap the redacted off.

Hugs and kisses, Matt

The really odd thing is that in a number of cases the mobile web sites are better than the desktop ones, and I'd have no complaints if it wasn't for this nonsense. Reddit is a good example of this. Their desktop website pales from a usability perspective compared to the mobile version and yet they feel the need to promote their app. I assume it is so they can better data mine your phone and sell you out for more profit, because I can't fathom what other benefit a native application would bring.

Further Reading

The beatings will continue until the situation improves.

Official soundtrack of this post: Pigface - The horse you rode in on

November 02, 2017 @20:48

Wherein I feel like I am the product again...

So lets do a little thought experiment.

So, you have this distribution channel that is the only way to (for normal people at least) install software on a device they claim to have sold to you.

Ignoring how completely despicable that premise is... you would think that at least for the appearance that they actually mean that whole "Unlike our $competitor, you aren't the product" stuff, perhaps they might not try to squeeze every single plug nickel out of you.

It is not shocking in the least, but at the same time I find it both disappointing and a bit offensive when this happens:

Ads in the App Store, iOS 11.1, iPhone 7

Now, I don't know for sure if this is new in iOS 11.1, though I suspect it is. It seems to happen in a way that has slipped past my network-wide ad-blocking filters, and when you add it to the rather horrific application discovery experience that is the App Store in general the whole thing just smells of a really ill advised money grab.

"Hey, finding an app you might like on the App Store sucks, how do
we fix that?"

"Oh, simple, we don't and we charge people to promote their apps in
search results and stuff in the App Store!"

"Brilliant!  Get this man a raise!"

print("\(thing) sucks, but everything else sucks more.")

let thing = "Apple"

Double Face-palm

I'm sure Steve Jobs would be so proud.

October 26, 2017 @20:33

I have been trying to get AWStats running on my Debian 9.2 (Stretch) web server. It has been fighting me. This is as much a note for future me as it is for you.

To Start With

Now I don't think this is something I added to the stock Debian Apache config, but just in case this is my Apache LogFormat. It ends up writing out to /var/log/apache2/other_vhosts_access.log. This keeps all the logs for all the activity on the server in one place and makes things nice and neat. Of course the stock Apache LogFormat in AWStats assumes one domain per log file.

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

So, to start I will assume you (future me) have done the usual apt-get update and apt-get install awstats dance by now, and have read /usr/share/doc/awstats/README.Debian.gz (if only to get the Apache config directives you need out of the sample config fragment).

I threw together a quick config with a SiteDomain set to but nothing happened. As forshadowing I will remind the reader that I recently setup HTTPS on that domain.


The big gotcha is that %virtualname in AWStats matches the entire %v string from the Apache log, so basically ssl hosts need the :443.

In the base awstats.conf.local I have:

LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"

Then the magical incantation you want in your per-domain config files is:

Include "/etc/awstats/awstats.conf"


October 13, 2017 @19:10

I monitor the DSM version on my Synology NAS with my icinga2 instance and sometimes alerts pop while I'm not in a position to run the upgrade using the normal GUI process.

This is rare enough that I almost always find myself trying to remember how to do it via ssh(1) and after flailing around aimlessly for a while I ultimately figure it out. This time I figured I'd write it down so I can at least find it in the future.

Basically synoupgrade is what you want.

Synology DS214se

admin@nas01:/$ sudo synoupgrade --check
Available update: DSM 6.1.3-15152 Update 7, patch type: smallupdate, restart type: none, reboot type: now
admin@nas01:/$ sudo synoupgrade --download
New update has been downloaded
admin@nas01:/$ sudo synoupgrade --start
Start DSM update...
Finish DSM update, reboot now!!

Broadcast message from root@nas01
    (unknown) at 19:00 ...

The system is going down for reboot NOW!
October 12, 2017 @22:00

iPad Impressions

I mentioned a few things in my first post that I thought might be better on the iPad than the iPhone.

iPad iOS 11 Screenshot

I like the new task switcher a lot, and I can see potential in the dock if you don't turn off all the iCloud features. I was wrong about the video stuff though, that's still too small and garbage.

iPad iOS 11 Screenshot

I Still Think This Stuff is Ugly

iPhone iOS 11 Screenshot

The more I look at it, the less I like the huge text block at the top of the tab screen. It feels like such a huge waste of screen real estate which feels antithetical to the entire point of designing a mobile UI.

Control Center Is Doing Radios WRONG

I ran into this last week as I was flying to Las Vegas for a work conference. I turn off WiFi and Bluetooth when I'm traveling for a number of reasons, but mostly battery life. It looks like tapping the radio icons in Control Center does not actually turn off the radio but disconnect you from the currently connected items, leaving the radios on, draining your battery, and broadcasting information out into the aether. You have to actually go into Settings to turn off the radios. Thankfully Airplane Mode seems to actually disable the radios so my battery didn't get murdered on the flights but the last thing you want to do is walk around a technical conference in Las Vegas with un-needed radios in your phone looking for something useful.

The long and the short of it is that those buttons should disable the radios not disconnect them.

(╯°□°)╯︵ ┻━┻

Subscribe via RSS. Send me a comment.