Until last year, work had Mitel 5212 softphones as the main devices on desks. This was the case since 2008, and was apparently high time to replace them. As they had nowhere to go but the bin, I grabbed a few in the hope to use them at home. While Mitel has a proprietary protocol (MiNET), they also support standard SIP through another vendor firmware, which allowed me to add a few more physical phones behind my FRITZ!Box.
Using Let’s Encrypt certificates with a FRITZ!Box

Today, when trying to log in remotely to my home router (a FRITZ!Box), I was greeted with an TLS certificate error. I was pretty sure it’s my router, but am I really keen to type in a password into a field that I have no idea whether it is actual my machine, or a nice-looking replica? A clear indication that it is time to use a better cert than a self-signed one that I cannot verify remotely.
I use Let’s Encrypt for all my other certificates, so why not use it on my router? However, I found precious little information about how to use it with the FRITZ!Box. Fortunately, it’s pretty straightforward.
Daylight savings in NSW, Australia
I can never understand why daylight savings is a thing, nor if it is useful to anyone. So I made a survey to understand this better.
Would all of you mind taking this survey and circulating the link around? https://www.surveymonkey.com/r/38CMMQM
Exporting the SSL root store from Mac OS X’s Keychain
security export -k /System/Library/Keychains/SystemRootCertificates.keychain -t certs -p
Useful for plain Unix/OpenSSL tools.
Download Oracle JDK without nagscreens
With M
as the major, m
as the minor, and r
as the revision,
export M=8 m=65 r=17; wget --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/${M}u${m}-b${r}/jdk-${M}u${m}-linux-x64.tar.gz
Useful for scripting, headless operation, continuous integration, and just for any time when one doesn’t have any for unneeded account creation.
Security considerations and Building Trust

In September last year, the Free Software Sydney meet-up group had an inaugural Jitsi Meet videoconference.
My (longer-than-planned) contribution to the conference aimed at introducing trust and security concepts, mainly in showing the prevalent role of hashes, and covered public-key cryptography uses, GPG, SSL CAs, trusting trust and reproducible builds.
[videojs webm=”/wp-content/uploads/manual/2015-09-10mehani_security_considerations_building_trust.webm” preload=”true” autoplay=”false”]
The whole video of the conference, also covering Free Software and Tor, can be found on the page of the event. PDF slides are available here.
Unified password management, the UNIX way
I’ve long been meaning to store all my passwords in a single, safe, location, as a way to remain sane as well as safe. But which one? Every operating system (or desktop environment) now has its own store, but choosing one casts a lot of things into stone, and most have a lot of third-party dependencies.
KeePass seems to be a good cross-platform solution, with clients for Linux, Windows, OS X and even Android, and nice features such as filling on demand. But I don’t like the whole clicky interface, if only for use without graphical display. It also doesn’t offer a native way to synchronise the stores across boxes.
For a while, I have been storing all my important configuration files in a git repository, with some make magic to install and update the files on the system. This magic would also store all passwords in a GPG-encrypted files, and replace them when installing the files.
The problem, of course, is that the passwords are still in plaintext in the live systems. And it came back to bite me when I sent an innocuous script (the ics2dav.sh
script from this post) to a friend… with the password nicely sitting there. Fortunately, I noticed this before him, and changed my password. In addition, this doesn’t cater for passwords stored in other applications, such as Firefox.
So things had to change. And I discovered pass(1), a simple command-line tool based on GPG-encrypted flat files, with an option to sync natively with Git. So there is finally an option for me to store passwords in a way which fits my workflow.
Continue reading
Remote scanning on a QNAP TS-212 with a Samsung SCX-3200 with SANE
I recently realised that the QNAP TS-212 NAS (running the latest QTS 4.2.0) can be used as a print server. No need to keep another machine on to print from anywhere!
Remote printing is easy
Both UNICES, through CUPS, and Windows, through Samba, can use the printer straight-away. In the case of the Samsung SCX-3205, the driver under ArchLinux is the samsung-unified-driver (from AUR) which, fortunately, doesn’t install any useless binary beyond those needed by the PPD used by CUPS.
client$ pacman -Qs samsung local/samsung-unified-driver 1.00.36-2
Remote scanning is harder
The problem is that this is a combo printer/scanner. Moving the printer to the NAS requires a similar solution to CUPS to scan from the network. Fortunately, SANE can do this, and there is some documentation about setting it up on a QNAP NAS. In this case, however, this did not work smoothly, so I had to fix a few things.
URL completion in dmenu

I have parted with FVWM. Not that I was dissatisfied with more than 12 years of using it and organically growing its configuration. I was not.
But I was recently shown i3 which, despite not being Awesome, is indeed awesome. Particularly in the usability of its default, which I found did not require many a tweak. I was however a bit confused at first, then impressed, when I realised that the auto-generated configuration took into account my Dvorak keymap, and updated the keybindings so the keys would be the same as those on a QWERTY keyboard. That’s thoughtfullness.
The next great thing about i3 (save for $mod+Return
to start a term anywhere, anytime), is dmenu. At a press of the relevant binding (equivalent to $mod+d
on an 200-year-old keymap), one gets to enter a one-line entry where any command can be entered for execution, with incremental completion.
Dmenu is also nice due to its modularity. It takes a list of strings that can be completed on stdin
, and outputs the typed or selected string on stdout
, for consumption by whatever script called it.
I figured that it should be possible to handle URLs in a dmenu script. It is actually pretty trivial, and the friend who convinced me to take the jump also provided such a script, which would simply open the typed URL. But I wasn’t entirely satisfied, as recent years of browser usage taught me to expect URL completion. So I looked into ways of doing it.
Reading application configuration files with popt(3)
Popt has a poptReadConfigFile() which is described as doing the following
The file specified by fn is opened and parsed as a popt configuration file. This allows programs to use program-specific configuration files.
What’s unclear is whether it can only be used to enable aliases, or if it can also be used as a general-purpose configuration file to replace the command-line interface, and if so, what format it should be in.
As no documentation I could find explains it one way or the other, I resorted to reading the code.
The short answer is no. Popt (1.16) cannot read command line parameters from an rc configuration file.