The longest time I have been a happy Samsung phone user, currently with the S4 mini, and liked the ability to flash custom ROM’s like CyanogenMod and it’s sucessor LineageOS. However, having a hard time to find a small (4”-screen) phone with a good camera, I am considering the Apple iPhone SE.
Will I be punished for leaving the Android ecosystem?
Which, by luck and a hint, I did not forget to look up.
Sad thing is, the Apple App store does not have an app for automated task execution. Neither Llama, nor Tasker is available. IFTTT will not be of help either, because it can not control local settings.
This is a show-stopper to me and too much of a punishment. No iPhone for me this time.
How to simplify and secure a WordPress installation for kid’s use?
This guide focuses on privacy, security and ease of use. Thus secure access is enforced, a login is required and some UI sugar will be set up. Here are some steps to follow, with detailed instructions below:
Enforce HTTPS
Use WordPress privately, with required login
Disable commenting
Customize the login page for better recognition
Installation & Configuration
Install it using your preferred way
Create an admin user for you and a kid’s account (with the author role). If you like, also create viewer accounts for read-only access.
Enforce HTTPS and use HSTS
Create a .htaccess file in the root folder with the following content:
# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} =off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
# enable HSTS
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Install Plugins
Use the Force Login plugin, to restrict usage only to registered users. This will also immediately load the edit mode once your kid has logged in.
Make sure, the Loginizer plugin is installed and activated. It has a harsh retry limit and is a very effective means of keeping bad guys out.
Uncheck “Allow people to post comments on new articles”
Just in case you once allow discussion on a specific post:
Check “
Tweaking the UI
Update the theme: TWENTY SEVENTEEN is a nice theme (currently the default). Use a nice header image in the theme, showing something the kid likes (but probably not a closeup image of themselves)
Tweak the login screen
To make your kid feel at home, even at the login screen, use an image there too. Unfortunately you can not just add CSS in the default customization editor to tweak the login screen.
However, by using the Login customizer plugin:
Go to Appearance/Customize, then Login Customizer (new from the installed plugin), then Other/Custom CSS to fully tweak the style. However, you can also just use the CSS below (replace the image URL):
/* This CSS changes the default WordPress login page
* It uses a custom image as faded background and tweaks the
* other UI stuff accordingly */
/* use an image from the gallery */
body.login {
background-image: url(https://yourdomain.tld/wp-content/uploads/2018/03/x.jpg);
display: block;
background-size: cover;
}
/* fade the image to black and keep behind the login form */
body.login::after {
content: "";
background: rgba(0, 0, 0, 0.6);
position: absolute;
top: 0;
left: 0;
right: 0;
bottom: 0;
/* Image behind the login form */
z-index: -1;
}
/* make the links more readable, by using a white background, as the rest of the login form, in front of the blackish image */
/*body.login div#login,*/
body.login p#backtoblog,
body.login p#nav {
background-color: white;
}
/* keep the links visually attached to the form */
body.login p#nav,
body.login p#backtoblog {
margin-top: 0;
padding-top: 6px;
padding-bottom: 6px;
}
body.login p#backtoblog {
padding-bottom: 24px;
}
/* keep the wordpress logo decolorized to not infer with image colors */
body.login #login > h1 > a {
filter: grayscale(100%) brightness(250%);
}
Happy blogging!
WordPress and all plugins mentioned are free (or freemium), so consider donating to the respective authors.
As HTML/CSS/JavaScript exercise I created* a QR code generator, which is embeddable into any website. It’s even usable offline, because it’s just a single HTML file.
Try it
And here’s how you embed it, using a cached copy via the RawGit CDN:
You can also change the sizes or the frame border. The displayed QR code will adapt accordingly on page load. However, only one iframe per page is currently supported.
You may also take the qr.frameable.inline.html and host it on your own server, or just download it to your local file system for offline use.
API
The offered QR code generator supports two request query parameters:
text, to allow for a custom preset text. Requires URL encoding of the text.
readonly, to disallow text entry. This may be useful when you just want to present a QR code for a given text.
* To be honest, I just tried to pull the right strings. The QR Code generator page presented here is based on the Javascript QR Encoder by tz@execpc.com, released under GPLv3. It also uses small bits of Bootstrap, jQuery and AngularJS.
The DS115j is one of the more affordable models, running Version 5 of the Synology DiskStation Manager (DSM). Unfortunately it is not able to run Docker containers. Thus I decided to go down the native way with the Java Manager module.
However, to make it safe (that is, not running it as root) was a little more involved as I thought…
You will need to…
Install Java (with the Java Manager)
(at least temporarily) enable SSH on your NAS.
Add kernel modules for port redirection from Port 53 to a non-privileged port, to avoid running the DNS server as root.
Modify the Synology firewall to accept traffic for DNS and the NxFilter admin GUI.
Use UpStart jobs to start up NxFilter automatically after boot.
Use an upstream DNS server, also for queries originating from within the NAS.
Prerequisites
Log into your Synology NAS admin GUI as administrator.
Install Java, version 1.7.0, using the Java Manager Package in the Package Center of you Synology NAS.
Enable SSH in Control Panel / Terminal & SNMP / Terminal. Tick Enable SSH Service.
Add firewall rules in Control Panel / Security / Firewall. You must open a port for DNS and one for the admin GUI.
Since I will later use port redirection for DNS, I use port 8053 instead of the default 53. In the below example I allow all local traffic to the alternative DNS Port 8053 (UDP) as well as the administration GUI port 8443 (TCP).
I suggest to create and use a specific local user account for the NxFilter installation on your Synology NAS to keep things separated.
Creating an “NxFilter” user account
Name the user “NxFilter” and keep it the “users” System default group. There is no need to add any further access (not even for the FileStation), as this account is only used as a convenient, local container for the NxFilter files.
Log into the created NxFilter account, upload and unzip the binaries in to the home folder.
Deploying NxFilter
Config stuff
To avoid avoid the necessity to run as root, you should use an alternative port for the NxFilter admin GUI as well as the DNS service.
To do so, edit the home/conf/cfg.default file and save it as cfg.properties file. (Hint: to use the convenient online text editor, first rename the file to cfg.default.txt)
Editing the NxFilter config file
Edit the port configuration to this, for example (with an added line for the DNS port):
To keep the NxFilter DNS server automatically running over NAS reboots, you can create an Upstart job configuration, that will cause a job to run at startup and shutdown of the NAS.
However, the job needs to be split in 3 parts:
Setup the port redirection, with root privileges
Start NxFilter with user privileges
Tear down the port redirection, with root privileges
Create an Upstart script
Create an nxfilter-setup.conf file in /etc/init/ with the following content:
description "Prepares the system to start the NxFilter DNS server on a non-privileged port at NAS startup"
author "marcel@codeministry.ch (hosted on qrys.ch)"
usage "Start NxFilter simply with 'start nxfilter'. The setup and teardown tasks will be invoked automatically."
# output is logged to a file in directory /var/log/upstart/
console log
# Only start this task when the nxfilter service job is starting
start on starting nxfilter
task
# Note: Running as root (the default) is a bad idea,
# but root is actually required to bind to Port 53 (for DNS)
# on the given Synology DS115j NAS.
# As solution this uses local port redirection
# to let the DNS server use one of the higher, non-privileged ports
# when serving DNS queries.
script
# Since Synology DS115j NAS does not support nat tables out of the box we will add this first.
insmod /lib/modules/nf_nat.ko
insmod /lib/modules/iptable_nat.ko
insmod /lib/modules/ipt_REDIRECT.ko
# Add port redirection to serve DNS queries on one of the non-privileged ports
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 8053
end script
Create an nxfilter.conf file in /etc/init/ with the following content:
description "Starts the NxFilter DNS server on a non-privileged port at NAS startup"
author "marcel@codeministry.ch (hosted on qrys.ch)"
usage "Start NxFilter simply with 'start nxfilter'. The setup and teardown tasks will be invoked automatically."
setuid "NxFilter"
# output is logged to a file in directory /var/log/upstart/
console log
# Starting this service job will also start the nxfilter-setup task job
# Only start this service after the httpd user process has started. It is a safe bet that the DNS is able to run now.
start on started httpd-user
# Stop the service gracefully if the network goes down.
# Stoppping this service job will also start the nxfilter-teardown task job
stop on stopping network-interface IFACE=eth0
script
# Start the DNS server
# Since Upstart does only use a minimalistic environment, provide the necessities here directly to the process
exec env PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin:/var/packages/JavaManager/target/Java/jre/bin" /volume1/homes/NxFilter/bin/startup.sh
end script
pre-stop script
# Shut down the DNS server gracefully (otherwise it will get killed by the stop process)
# Since Upstart does only use a minimalistic environment, provide the necessities here directly to the process
exec env PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin:/var/packages/JavaManager/target/Java/jre/bin" /volume1/homes/NxFilter/bin/shutdown.sh
end script
Create an nxfilter-teardown.conf file in /etc/init/ with the following content:
description "Reverts the changes made to the system to start the NxFilter DNS server on a non-privileged port at NAS startup"
author "marcel@codeministry.ch (hosted on qrys.ch)"
usage "Start NxFilter simply with 'start nxfilter'. The setup and teardown tasks will be invoked automatically."
# output is logged to a file in directory /var/log/upstart/
console log
# Only start this task job the nxfilter service job is stopped (and NxFilter is shut down)
start on stopped nxfilter
task
script
# Remove the port redirection
iptables -t nat -D PREROUTING -p udp --dport 53 -j REDIRECT --to-port 8053
# Remove the NAT kernel modules (in reverse order)
rmmod /lib/modules/ipt_REDIRECT.ko
rmmod /lib/modules/iptable_nat.ko
rmmod /lib/modules/nf_nat.ko
end script
If you created the job configs in the NxFilter user’s home directory for convenience, now copy it in the right place:
Reload the job configuration and check the existence of the job
initctl reload-configuration
initctl list | grep nxfilter
Testing the UpStart job
Try to run the job now
start nxfilter
Output must be for a running state like:
nxfilter start/running, process 19499
See the log:
cat /var/log/upstart/nxfilter.log
If everything is OK, this job will start your NxFilter instance after reboot.
reboot
About not being root
By default, binding to a lower port, like 53 for DNS, needs root access, which is a good thing. But this also means that the whole NxFilter process (including the whole Java JVM in this case) needs to be run with root permissions, which is considered bad practice.
Better, you set explicit permission for binding, but run it without being root. However, the NAS in question seems not to support any of the conventional ways of doing this, like using authbind or setcap. But there’s another way.
Using iptables & kernel modules
iptables allows for all kind of redirecting and manipulating traffic. The solution here however requires only to change the destination port of an incoming DNS query packet. Thus I use the iptables directive as mentioned above.
However, on a Synology DS115j NAS the required nat table for port forwarding is not loaded by default, thus we also need insmod, as also was shown above.
DeLorean DMC-12 (Credits: Photo by Kevin Abato, www.grenexmedia.com, edited by me.
While the web (besides time machines) is styled much nicer than ever, this does not always mean, it’s your style, nor that user experience is much better for you.
Two powerful tools, UserStyles and Greasemonkey (Tampermonkey for Chrome), come to help. They both inject additional functionality (CSS and/or JavaScript) into existing websites, allowing to transform or extend their use.
In my spare time, I have created some (hopefully) handy scripts and styles:
A slimmed down StackExchange
To get rid of the distracting side bar on some of the StackExchange sites, I have created the StackWatchers user style. This also improves the reading experience on narrow windows.
Better UX with NxFilter
To have a better visual distinction for blocked requests by the DNS filtering tool NxFilter, I have created NxFilterColorizer, a user script that colorizes the table row depending on the block indicator text. It also applies a CSS class that allows further styling with a user style.
Find the keyboard focus
Ever got lost in a large input form? FocusFinder comes to the rescue. This is a simple user style, that globally highlights the currently focused or hovered input field or action item. This helps visually navigating and observing the structure of a website.
Upcoming: Header linkify
A user script that prepends clickable links to HTML headers. This allows to share a direct link to any part of a HTML document.
It served me well over all these years, both with Windows and Ubuntu Linux. But, getting tired of replacing empty or clogged ink cartridges all too often I considered buying a laser printer. I chose the Samsung Xpress C480W A4 Color Laser Printer.
Samsung Xpress C480W A4 Color Laser Printer
Installing a printer on Linux – a nightmare. Or is it?
Not with this one, I can say. The “Easy printer installation” does not promise too much. Here’s what it took me:
Attach the printer to the mains and the local LAN. Switch it on.
Download the appropriate driver package from the Samsung setup page with the Linux box. The website presents the Linux driver package (probably guessed from the User Agent string) right away.
Extract the package.
Run sudo ./install.sh
Installing the printer driver with the bash shell
Accept the EULA (This is the most inconvenient part as you are required to accept it line by line…)
Install the printer using the Ubuntu printer Dialog. It will automatically get recognized on the network.
The Ubuntu 14.04 Add printer dialog
Done. Feel the relief and joy of printing and scanning using your favorite OS.
Here’s how my first test page looks – scanned with the same printer again. 🙂
A scan of the first print test page.
Update: When scanning after Ubuntu upgrade does not work
After upgrading Ubuntu from 14.04 (LTS) to 16.04 (LTS) the scanner portion of the Samsung C480W did not work anymore. I got “Failed to scan” all the time from my beloved SimpleScan application.
SimpleScan refuses to find the scanner
Apparently some configurations did not make it through the Ubuntu upgrade.
My solution was to simply uninstall and reinstall the driver using the official driver package mentioned above:
sudo ./unistall.sh
sudo ./install.sh
Voilà – SimpleScan on Ubuntu 16.04 (LTS) found my scanner again.
One of my sons recently received this fine, Infrared (IR) remote controlled crane model as a gift. Would it be possible to rebuild the IR remote control with a Raspberry Pi?
Catching the signal
To build the IR-Transmitter I used the well-known LIRC library and this small IR receiver sensor from Adafruit. For emitting back the IR I just recycled an IR-Diode from an old JVC remote control unit and directly attached it to one of the GPIO ports the Raspberry Pi.
Connecting an IR-LED and an IR-Sensor to the Raspberry Pi 2 Model B
To set up LIRC, test the sensor, record the IR signal and emit the code I mainly followed this excellent blog post about setting up LIRC by Alex Bain. I worked through all the relevant steps and finally got a working solution.
Gettin’ the codez
The Playmobil crane remote control seems to use none of the standard protocols like NEC or MD-5. It also has a long sequence, as the output of the raw recording shows.
sudo /etc/init.d/lirc stop
mode2 -d /dev/lirc0
The “Left Turn” button, when using channel “D”, gives:
space 4656873
pulse 5722
space 452
pulse 942
space 473
pulse 947
space 474
pulse 949
space 937
pulse 485
space 964
pulse 459
space 938
pulse 484
space 911
pulse 511
space 473
pulse 959
space 464
pulse 950
space 471
pulse 951
space 471
pulse 952
space 469
pulse 953
space 116727
pulse 5721
space 471
pulse 953
space 469
pulse 952
space 443
pulse 980
...
A quick analysis using a spreadsheet and a bar chart shows some interesting features. See below. The y-axis shows the numbers from the raw output as values.
Barchart for left turn on channel D
There are 13 blocks, of which the later 12 are similar. A test showed that the signal consists of a first, single action code, followed by a repeated stop or terminating code. The clock seems to be at a value of about 473, which is the average duration for a pulse of basic width.
Getting a working lircd.conf file
Now the tricky part was creating the lircd.conf file with the irrecord application. The tool resorted to record what it calls a raw format. By following the on-screen instructions, I managed to get a working file, however, only with the action codes for each direction. I then manually created a stop code and added that to the end of the file.
# Stop lirc to free up /dev/lirc0
sudo /etc/init.d/lirc stop
# Get the configuration file from sourceforge
wget -qO- -O large-crane.lircd.conf 'https://sourceforge.net/p/lirc-remotes/code/ci/c1a9403dec74d2b3d90ff507d63a1cd7d8aa6a3b/tree/remotes/playmobil/large-crane.lircd.conf?format=raw'
# Make a backup of the original lircd.conf file
sudo mv /etc/lirc/lircd.conf /etc/lirc/lircd_original.conf
# Copy over your new configuration file
sudo cp large-crane.lircd.conf /etc/lirc/lircd.conf
# Start up lirc again
sudo /etc/init.d/lirc start
# Show the available codes
irsend LIST "playmobil" ""
# Get the bash control script for easy keyboard control
wget -qO- -O tmp.zip 'https://qrys.ch/wp-content/uploads/2016/01/cranecontrol.sh_.zip' && unzip -o tmp.zip && rm tmp.zip
# Start the control script
bash cranecontrol.sh
NxFilter is the best free solution for a self-hosted DNS server/filter I have found so far. Today I got my Raspberry Pi, so how about running NxFilter on a headless Raspberry Pi in a family’s home network?
Note: This article is based on a Raspberry Pi Model 2B and NxFilter Version 3.5.1. Never versions of either product may behave differently.
Prerequisites
The current Desktop version of Raspbian, the default Debian-based Operating System for the Raspberry Pi already comes with all required packages (Java, unzip, wget)