Overnight pulse oximeter tracks sleep apnea

Sleep apnea graph

At the start of the pandemic, I read a suggestion from a nurse that having a pulse oximeter would be a good idea. I’ve also had issues sleeping for some years including mild (and some not-so-mild) sleep apnea so I figured it might be good to document these. I bought a model which can be worn comfortably overnight and track the full night’s sleep, the Wellue/ViaTom SleepU P03.

The data it’s shown me is alarming. I have been having apnea events almost every night, some of these lasting long enough to dramatically drop my oxygen saturation. I’d been wondering why I’d suddenly find myself wide awake at 3 AM. Now I know it’s because I’d stopped breathing and my body struggled itself awake.

Though I’ve collected months of graphs showing a problem, I’ve not been successful demonstrating this during the VA sleep studies I’ve had done. I don’t do this every night but it happens with enough frequency that it makes it hard for me to feel rested in the morning. I’m hopeful that a future study will open the door to some treatment. A good night’s sleep is a fantastic gift.

Along my sleep apnea journey, I found the excellent OSCAR app, an open-source data visualization tool that gathers data from CPAP machines and pulse oximeters like mine.

Getting old is not for wusses.

Samsung Galaxy spying defeated?

As I’ve written before, I kept noticing ads pop up on Facebook and Twitter which seemed suspiciously as if they were triggered by conversations held around my phone. I got so fed up with this this summer that I briefly listed my Samsung Galaxy phone on Craigslist. And yet, something pulled me back. A friend pointed out that certain apps – even system ones – could be removed from the phone without actually rooting it. I have always been impressed with the Galaxy’s hardware; it was Samsung’s bloatware that drew my suspicion. Samsung’s locked my phone down so tightly that rooting it is out of the question. Perhaps this other method might work?

After carefully examining apps in Android’s app permissions page, paying particular attention to system apps (which usually are firmly entrenched and can’t be removed), my eyes focused on one quite innoculous one that called itself SmartThings.

I already tweeted my discovery of two separate SmartThings apps, each with wildly different permissions, but a search of the phone’s packages never turned up any of the more entrenched, system version of SmartThings.

After more Googling, I found the name of the offender, a mysterious package called com.samsung.android.beaconmanager.
Continue reading

Bypassing the AT&T Pace 5268AC Residential Gateway, Part I

Turn this into a high-tech doorstop


I’d been dreaming of getting fiber to my home for over a decade. It was that long ago that I spent my days hooking up ten-gigabit fiber connections to massive file servers at NetApp. I led a successful grassroots effort to lure Google Fiber to Raleigh, because competition can be a great way to spur innovation and investment. You can imagine in 2018 how excited I was to learn that fiber was coming to my neighborhood. While it wasn’t Google, it was AT&T. I swallowed my pride, quietly rescinded my ban of ever doing business with AT&T again, and signed up for their fastest package: symmetrical gigabit fiber. Cost was $80/month initially and thereafter $90/month. I’m sure I’m one of the few in my area who max it out. Hey, geeks gotta geek.

Why bother?

While I’m happy to use up as many AT&T bits as possible, I still don’t entirely trust the company (though I do trust them more than Time Warner Cable (TWC), a.k.a. Spectrum, and this as you know is not saying much). While providing direct access to my home network to a major telco may be a bit on the paranoid side, a number of security vulnerabilities have been discovered with other AT&T devices. Though AT&T might not be snooping around my network, I could not be entirely comfortable that hackers wouldn’t. AT&T’s RGs were discovered to have the built-in ability to do deep packet inspections (DPI) themselves, being able to snoop on the network traffic of its customers. For this and many other reasons, I just don’t trust any devices on my home network that I do not control.

I kept a firewall between TWC and my network for this reason. AT&T wants you to use their device, which they call a “Residential Gateway” or RG, as the firewall. It also acts as a WiFi point, DHCP server, and the like. This may be fine for most people, but I am an uber power user. As an engineer, I want to squeeze the maximum performance out of my networking. I will happily void the warranties on my networking gear. I didn’t spend time tuning my home firewalls for maximum throughput just to discard them when some corporate box comes along. This just won’t do, you see.

The Power User’s approach

My first approach was to switch things over to my TP-Link AC1750 access ponits, running OpenWRT. While my AC1750s could keep up with the slow (300 Mbps) speeds of cable Internet, they were balking at gigabit speeds. The hardware acceleration the AC1750s utilize require proprietary drivers which OpenWRT does not provide. It was time to list them on Craigslist and try something new.
Continue reading

The Evocacs Deebot Orzo 920 robot vacuum

The Evocacs Deebot Orzo 920

My membership warehouse company, Costco, sells both the iRobot models but also the Ecovacs brand. I was intrigued so I brought home the Ecovacs Deebot Orzo 920. What do I have to lose, with Costco’s generous return policy protecting me? I ordered the Orzo 920 online and waited patiently for it to arrive.

The Orzo 920 is almost perfect as far as robot vacuums go, though I’m not sure why is has such a long name (how many brand names does one robot need?). A Chinese model, it nevertheless has clearly-written documentation and labels. The box contained the robot, charging dock, booklet, two HEPA filters and a tool for cleaning the brushes. Instinctively I set up the charging dock and put the robot on it, not realizing I had to flip the red switch on top to actually turn it on.

Modern robot vacuums need Internet access, so I had to go through steps to connect it to my home network. I downloaded the Evovacs app for my Android phone and set the vacuum up to advertise its WiFi signal. Connecting it to the app was simple and quick.

Once the Orzo was charged, I used the app to set it up. The Orzo uses LIDAR laser ranging to map the floors of your home. It maps your home the first time it’s run, after which you can edit the map to divide areas, mark off spots with “virtual boundaries,” and make other adjustments. Different advanced vacuums use different technologies to map rooms (iRobots use a visual camera) but in my experience the LIDAR is tough to beat. It was a treat to watch as the app filled in walls as the robot proceeded around the room. It does an amazingly accurate job figuring out where it is and what the room looks like. I could tell this was not a robot that would ever get lost on the way back to the dock.

One thing I learned right away is that the initial mapping takes longer than a normal cleaning. This may just be my experience but I wanted it to be thorough in its mapping at the expense of deep cleaning the first time. I discovered an option in the app’s settings which allows you to set the vacuum’s power on the “Quiet” setting. This uses far less battery than the normal power modes so I was able to get the vacuum to completely map my floor without having to stop and charge mid-way.

Multiple floors are supported, so once the Orzo had mapped the downstairs I moved the dock and vacuum upstairs and had the Orzo map it, too. Only two maps seem to be in the app so if your home has more than two you might be out of luck.
Continue reading

Karaoke is my quarantine creative outlet

After a public performance or two over our New Years trip I thought I’d take my singing more seriously. I quickly realized the huge library of karaoke songs on Spotify and that could use this and some Googled lyrics to turn a PA speaker into a karaoke machine. I’ve posted two of my songs to YouTube already (“(The Angels Wanna Wear My) Red Shoes” By Elvis Costello and “Pink Cadillac” By Bruce Springsteen) and have gotten positive feedback. It feels good to be able to try something new, share it with the world, and get feedback on it.

It’s been a good lesson on how I sing, too. I sang in chorus in middle school and sang in my church’s youth choir around that time, too. I’ve been singing along to my favorite music whenever I’m alone at home or in the car. Once my colleagues caught me singing in the server room when I thought the roar of machines was drowning me out! Rarely did I sing for an audience before.

I have learned that singing with the goal of sounding the best is new to me. I realized that many of the songs I’ve been singing along to, ones that I’ve enjoyed singing, are not necessarily songs fit for my vocal range or style. When I’ve tried to do karaoke versions of these songs I quickly realized the ways in which my voice came up short. You know what? I have learned to be fine with this. I can’t nail every song but there are still hundreds or even thousands where my voice fits just fine. My list of karaoke songs is now well into the hundreds and I can easily organize a hefty, interesting set list to cover any performances.
Continue reading

Excuse me, but Oculan did a great job explaining its usefulness

I was wandering through my MT.Net archives and noticed I had linked to a Triangle Business Journal story on the revival of Oculan. The story included this quote, which for some reason I just noticed was a slap in the face to me (hey it’s only been 18 years, right?):

Where Oculan stumbled, said independent analyst Richard Ptak, of Ptak, Noel & Associates in Amherst, N.H., was in the marketing.

“They had a very nice solution and a good strategy, but were never able to communicate why it was a good product,” Ptak said. “A lot of tech entrepreneurs think all they need is a better mousetrap, but nobody buys technology for the sake of technology anymore. They buy it because it’ll solve a problem.”

Well, Mr. Ptak, Oculan did a fantastic job communicating why it was a good product. Not only did it have an outstanding team of sales engineers out pitching it, the damn product sold itself. Your quote about a better mousetrap shows your ignorance.

So there.

‘Shattered’: Inside the secret battle to save America’s undercover spies in the digital age

When hackers began slipping into computer systems at the Office of Personnel Management in the spring of 2014, no one inside that federal agency could have predicted the potential scale and magnitude of the damage. Over the next six months, those hackers — later identified as working for the Chinese government — stole data on nearly 22 million former and current American civil servants, including intelligence officials.

The data breach, which included fingerprints, personnel records and security clearance background information, shook the intelligence community to its core. Among the hacked information’s other uses, Beijing had acquired a potential way to identify large numbers of undercover spies working for the U.S. government. The fallout from the hack was intense, with the CIA reportedly pulling its officers out of China. (The director of national intelligence later denied this withdrawal.)Personal data was being weaponized like never before. In one previously unreported incident, around the time of the OPM hack, senior intelligence officials realized that the Kremlin was quickly able to identify new CIA officers in the U.S. Embassy in Moscow — likely based on the differences in pay between diplomats, details on past service in “hardship” posts, speedy promotions and other digital clues, say four former intelligence officials. Those clues, they surmised, could have come from access to the OPM data, possibly shared by the Chinese, or some other way, say former officials.

The OPM hack was a watershed moment, ushering in an era when big data and other digital tools may render methods of traditional human intelligence gathering extinct, say former officials. It is part of an evolution that poses one of the most significant challenges to undercover intelligence work in at least a half century — and probably much longer.The familiar trope of Jason Bourne movies and John le Carré novels where spies open secret safes filled with false passports and interchangeable identities is already a relic, say former officials — swept away by technological changes so profound that they’re forcing the CIA to reconsider everything from how and where it recruits officers to where it trains potential agency personnel. Instead, the spread of new tools like facial recognition at border crossings and airports and widespread internet-connected surveillance cameras in major cities is wiping away in a matter of years carefully honed tradecraft that took intelligence experts decades to perfect.

Source: ‘Shattered’: Inside the secret battle to save America’s undercover spies in the digital age

Facebook audio snooping almost certainly prompted targeted ad

A story in July’s Consumer Reports discussed the possibility of our social media apps secretly listening to us:

Well, it’s technically possible for phones and apps to secretly record what you say. And lots of people sure seem to think they do.

According to a nationally representative phone survey of 1,006 U.S. adults conducted by Consumer Reports in May 2019, 43 percent of Americans who own a smartphone believe their phone is recording conversations without their permission.

But, to date, researchers have failed to find any evidence of such snooping.

While there might not be any fire yet, there sure as hell is smoke.
Continue reading

AD/LDAP authentication on Linux hosts

I’ve been working with the Lightweight Directory Access Protocol (LDAP) for 18 years now. Then Microsoft embraced and extended LDAP with Active Directory. Nowadays most companies base all of their authentication and authorization on Active Directory and for good reason. In a Windows-only world it works great. For a mixed-platform environment, it’s a bit more difficult to make work.

I recently worked out how to make Linux systems authenticate against Active Directory using only the LDAP protocol and wanted to share it here for any fellow DevOps/sysaedmins who might want to try it themselves. The goals were to do it with minimum fuss and using the native tools – no third-party apps. I also want to do it solely with LDAP and not have to worry about pointlessly “joining” a Linux host to a domain.

The modern way that Red Hat likes to connect Linux hosts to AD like to do this is to use the SSSD suite of packages, join the host to the Active Directory tree, and talk to AD directly. This seems like a lot of bloat to me when all you need is authentication. Fortunately, you can use the “legacy” means and do it all with LDAP libraries.

Bridging Active Directory and Linux hosts

One way to integrate Linux/UNIX hosts into AD is to add Microsoft Windows Services for UNIX (SFU) schema extensions. This means every AD entry would be defined with common Unix attributes like uid (user id) and gid (group id). These could sometimes get out of sync with the AD attributes and at any rate would require constant updating of the AD records.

Ideally, we won’t depend on Services for UNIX additions in AD and the complexity it brings. Instead, we’ll identify standard AD attributes and map them to Linux/UNIX equivalents. The nss-pam-ldapd package allows us to do this in the /etc/nslcd.conf file, which we’ll see in a minute.

Differences between CentOS 6/AWS and CentOS 7 hosts

One stumbling block has been that Amazon Linux (amzn) uses old, old libraries, based on CentOS 6 packages. The nss-pam-ldapd package which ships with this version of Amazon Linux is version 0.7.5; a version too old to include the mapping functionality we need to avoid using Services for UNIX.

Fortunately, we can remove the amzn version and add an updated one. I have tested one I have found at this link which updates any amzn hosts to the 0.9.8 version of nss-pam-ldapd.

The version of nss-pam-ldapd that ships with CentOS 7 is 0.8.3 and works fine with attribute mapping.

Obtaining the domain’s ObjectSID

The goal of using a directory is consistency. If a user appears in AD, that user will be available to Linux hosts. Also, that user will be treated the same on every directory-equipped server as that user will ideally have the same uid/gid. Without adding Services for UNIX, we need some way to ensure a uid on one host is consistent with the uid on another host. This is done by nss-pam-ldapd by mapping Linux uid/gids to their equivalents in AD, called ObjectSIDs. You need to obtain your AD server’s domain ObjectSID.
Continue reading

Our car’s keyfob was hacked – the question is how?

We were out of town over the weekend and at 5:30 AM Saturday I awakened to the sound of one beep of our car’s “alarm” horn. Thinking it was the neighbor’s car and knowing our car was locked, I went back to bed. When we walked to the car later that morning, the hatch was standing wide open. Nothing appeared to be touched or taken.

I was immediately concerned that somehow our keyfob had been hacked. Kelly thought something probably bumped up against one of our keyfobs and that caused it to open. We’ve had the car for years, though, and an “accident” like this has never happened. If something pressed a keyfob button, why would it sound just one beep of the horn alarm? Why not trigger it to sound repeatedly, as would happen if it were a single press of the button? Seems unlikely an accidental press of a button would cause one clean beep and then cause the hatchback to open.

So, naturally I am fascinated with whatever technology was used for this! There are a couple of approaches.
Continue reading