LG ThinQ App Notification Advertisement

I let our LG Washer-Dryer connect to Wi-Fi, but blocked its access to the Internet. I don't want it communicating with whatever cloud service they run, I just hoped there would be a local web page to scrape or some other port open so I could build a "Send a Signal message when the dryer finishes" service.

Alas, no, it only makes outgoing connections to its cloud service. I'm not ready to commit the time to trick it into communicating with something I develop.

Installing the app was required to get the unit to connect to Wi-fi. I had blocked the app's Location permission so they can't sell my data to an aggregator, denied the Microphone permission, and took away Camera and Nearby Devices after it scanned the barcode on the washer/dryer.

Now this. It sends advertisements in an Android notification.

I do appreciate some Internet of Things devices. I like being able to graph production data from the rooftop solar panels over time, and the status of the home's battery, for example. But so much of IoT is just in service to enshittification. It is maddening.

---

LG, if you're listening: I'm sure you track the number of people who click on that notification, maybe with some attempt to estimate conversions and attribute revenue. You need to also track the loss of goodwill.

I rage-uninstalled the app right after taking this screenshot, you need to correlate app store install metrics with when your ad campaigns run. That should feed in somehow to a loss of future revenue estimate, by souring attitudes amongst your installed base.

Lighting goodwill on fire to generate heat can result in revenue, but not without a cost.

Android Airtag Detection

I really do appreciate that recent Android releases notice and notify a user when an Airtag is accompanying them. Stalking via surreptitious Airtag is a real thing which happens.

One might think that the specific phrasing of "unknown Apple Airtag" implies the existence of a known Apple Airtag, but if such functionality exists I have not found it. I would really love to have a "it's ok, that one is mine" function to suppress repeated notifications about the Airtag in my luggage.

Android Signal Keyboard Privacy

Android keyboards can be quite sophisticated, including learning of commonly used words or languages. Some of these result in uploading what you enter to a service you may not know about. The Signal app on Android includes a setting to say that its keyboard input should not be uploaded.

Malicious keyboard apps can ignore this, but if a malicious keyboard has made its way onto your device I think you have bigger problems.

The tradeoff: if you use speech-to-text on the Android keyboard, it will no longer work. The microphone will be greyed out and will bring up a small message saying "This app doesn't support voice input." The stock Android keyboard apparently has no on-device voice processing.

I learned of this from Liz Fong-Jones' Bluesky feed.

HomeAssistant Voice Preview Edition poweron

I powered on two HomeAssistant Voice Preview Edition devices, trying to replace our use of Google Home. It is set up self-hosted in a HomeAssistant VM, running on a quite old Dell T320 server running Proxmox. It is an E5-2450 v2 with 8 cores and 20MB cache at 2.5 GHz. The HA-OS VM gets two of those cores.

Pros:

• has an announce function, one of the most common things we use Google Home for. Yes, we use Google Home primarily as an overly complicated intercom.
• entirely self-hosted, voice doesn't leave the home

Cons: haven't yet figured out the other common things we use Google Home for.

• set timer for N minutes
• play music from YouTube
• recurring alarms every weekday/Thursdays/etc

RSS Feed Likely to Break

Over a decade ago I configured this Google Blogger site to use FeedBurner. This blog never generated ad revenue and I turned ad insertion off, but left the feed still going through FeedBurner.

I'm making progress in moving the blog off of Google Blogger. I am actively trying to reduce my use of big tech companies, limiting them to easily-replaced commodified services wherever possible. I have a Jekyll site working locally, with all existing posts and images imported. I expect to serve the generated static site from somewhere like GitHub Pages or Cloudflare Pages so as to not operate a public-facing site myself, but retain the content and publishing infrastructure locally. The static hosting can be moved easily.

However: I expect the RSS feed will break, with a discontiguous update making it look like more than 400 posts have suddenly published. The Jekyll site will not generate an identical feed to Google Blogger. I also don't intend to use FeedBurner with the new site, as Google began shuttering the service several years ago.

Looking at the feed today, it is three posts behind. I don't know why, but I guess I'm heartened that it is not more. I'm posting this now in hopes that it will be published to any remaining subscribers of the RSS feed before the changeover happens.

Farewell, Google Charts API

Nearly 14 years ago I wrote a joke post about the Holtzmann Shields from Frank Herbert's Dune, complete with impressive-looking but nonsense equations like this one:

That equation was created using LaTeX:

T = \frac{(0.09\frac{m}{sec})^2(0.0289644\frac{kg}{mol})}{(3)(8.3145\frac{m^2\cdot kg}{sec^2\cdot mol\cdot K})}

 

At the time the post was written in 2011, Google offered a Charts API which would accept URL-encoded LaTeX and render it on the fly. The original posting from back then just embedded the Charts API URL as the source for the image, confident that Google would supply a suitable PNG:

https://chart.googleapis.com/chart?chs=239x83&cht=tx&chl=%0AT%20%3D%20%5Cfrac%7B(0.09%5Cfrac%7Bm%7D%7Bsec%7D)%5E2(0.0289644%5Cfrac%7Bkg%7D%7Bmol%7D)%7D%7B(3)(8.3145%5Cfrac%7Bm%5E2%5Ccdot%20kg%7D%7Bsec%5E2%5Ccdot%20mol%5Ccdot%20K%7D)%7D%0A

One can see the LaTeX code in the `chl` parameter.

 

The joke post turned into a joke on me: Google announced the deprecation of the Charts API the following year, and turned it off altogether in 2019. My post from 2011 has been broken for almost 6 years, without me knowing.

I am currently endeavoring to reduce my use of Big Tech services, turning to alternatives over which I have more control. Importing that 2011 post into Jekyll repeatedly failed because the image link was broken. I was able to recover the original LaTeX from the URLs to fix the old post, by generating PNGs.

I think this reinforces the desire to not depend upon Big Tech. Google kills services every day, especially ones like the Charts API which didn't have their own monetization path.

Preparing for Offsite Backup

For many years, too many years, my family computer backup plan was an aging Apple Airport Time Capsule paired with the fervent hope that nothing would ever fail. That worked pretty well in that we haven't lost anything important, but Backup Theater is honestly worse than just admitting there is no real backup.

Last year I decided that Adulting should include ensuring that family data remains safe and the kids don't lose schoolwork, or the custom Doom WADs they've developed, or what have you. The Adulting Plan for Backups consists of:

• Android and iOS devices should be backed up somewhere outside of the home.
• Windows and macOS laptops should be backed up somewhere outside of the home.
• Proxmox VMs and LXCs should be backed up somewhere outside of the home.

Repetative and boring, perhaps, but that is how a backup plan should be: replicated and safe.

 

Android and iOS

The mobile devices were simplest: they already backed themselves up, Android to Google Drive and iOS to iCloud. Downloading all iCloud photos to immich allowed us to drop to a less expensive iCloud+ storage plan while still using it for device backups.

One downside of using the mechanisms which Google and Apple provide is that the backups are not encrypted from outside access. Google and Apple can access the contents of the device backups. I hope to come back to re-examine these backup plans in the future with something we have more control over.

 

Windows and macOS

After some searching, we paid for Arq Backup Premium, which provides one license for each of our five laptops. Each laptop is configured to back itself up twice:

1. To the cloud storage which Arq Premium provides.
2. Using SFTP over Tailscale to the fileserver within our home.

The backup files for all of the laptops together come to a bit over 800GB, nicely fitting within the 1TB of Google Cloud storage from Arq Premium. The backups are encrypted using a key which only we have, neither Arq nor Google can read the contents.

 

Proxmox

The Proxmox server within the home has 10 terabytes of ZFS storage. It provides the SFTP backup which the laptops are configured to reach via Tailscale, and it backs up its own VMs and LXCs to ZFS using vzdump. I'm working on offsite replication for this and might post again when that is done.

ZFS Spooky Failure at a Distance

I use Proxmox with a ZFS array to run a number of self-hosted services. I have been working on setting up zrepl for offsite backup, replicating encrypted ZFS datasets which the remote system will be able to store but not decrypt.

 

While working through all of this, the new 28TB disk intended for the remote system appears to have failed.

root@zfsremote:~# zpool status
  pool: pool1
 state: DEGRADED
status: One or more devices has experienced an unrecoverable error.  An
        attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
        using 'zpool clear' or replace the device with 'zpool replace'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P
config:

        NAME        STATE     READ WRITE CKSUM
        pool1       DEGRADED     0     0     0
          sdb       DEGRADED     0    35     0  too many errors

 

Indeed, there are kernel messages about disk errors:

Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368396833 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368399137 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368397089 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368401697 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368401441 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368399393 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368402721 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368402465 ...
Mar 31 07:16:33 zfsremote kernel: I/O error, dev sdb, sector 23368402209 ...
Mar 31 07:16:34 zfsremote kernel: I/O error, dev sdb, sector 23368401953 ...

 

It seems odd, though. I had run `badblocks` destructive tests for weeks before moving on to creating the ZFS pool. After all that, it would choose this moment to begin uncorrectable failures?

Quite suspiciously, 07:16:33 is also the very instant when I sent a kill signal to a vzdump process running on the Proxmox host.

116: 2025-03-31 07:14:31 INFO:  29% (7.4 TiB of 25.5 TiB) in 9h 37m 2s
116: 2025-03-31 07:16:33 ERROR: interrupted by signal
116: 2025-03-31 07:16:33 INFO: aborting backup job

As I now know, trying to kill vzdump with a signal is not the right thing to do. `vzdump -stop` is the right way to interrupt it.

The OpenZFS docs say: "the following cases will all produce errors that do not indicate potential device failure: 1) A network attached device lost connectivity but has now recovered"

So far as I can tell, this is the explanation for this failure. Me sending a signal to vzdump interrupted the stream of ZFS operations, which manifested as a failed array on the other end. I have to say that I'm not fond of array failure as the way to report network errors. I've cleared the failure using `zpool clear` and will hope that zrepl will sort out bringing the two ZFS filesystems back into sync.

I plan to give it a day, then restore the remote dataset and check whether the file contents are sensible. The remote system does not, and will never, have the encryption key to be able to check the contents of the datasets it holds. I'll have to transfer them back to be able to access them.

EFF Privacy Badger

I started using Privacy Badger from the Electronic Frontier Foundation several months ago. It is a browser extension — I use it with Chrome — which blocks or restricts domains known to track identities and activity across the web.

One can click on the Privacy Badger extension icon to see what has been blocked, and also to make exceptions for the website being visited if needed.

 
 

This includes live links to tweets and other social media, which Twitter uses to gather data about the viewer. I allow these on certain sites which curate related tweets into stories.

I don't actively use Twitter any more but still find the zeitgeist there to be informative.

Ringing Endorsement for Signal

As published in The Atlantic today:

The Trump Administration Accidentally Texted Me Its War Plans
U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.
 
By Jeffrey Goldberg

The aforementioned group chat was using Signal. I guess that is quite the ringing endorsement of Signal's security and trustworthiness.

Signal was already being targeted by every nation-state and major criminal hacking group, I doubt that the knowledge it is being used for US war planning will especially increase the pressure they are under. As a family, we use Signal to coordinate everything important to us.

Deleting Pokémon GO data

My final Pokémon

I was an enormous fan of Pokémon GO for several years, zealously playing no matter where I was. It spurred me to do interesting things like visit parks in my area to which I had never been, to capture the Pokestop. I joined in legendary battles. I recall captuing MewTwo at a local park with about a dozen other players. I'd been a player of Niantic's earlier game Ingress, and thought of Pokémon GO as a newer, shinier take on the concept.

As happens, my interest in catching Pokémon waned and eventually stopped by the summer of 2019. We went to LEGOLand and there is exactly one Pokémon screenshot in my photos, in what was surely a target rich environment. Emailed entreaties from Niantic to come back started a couple months later.

I knew that location data was the main economic reason for the game's existence. I wasn't especially concerned about it at the time, I felt confident that my visits to parks and monuments and fountains wouldn't be something to be concerned about.

 

That was then, this is now. The world seems more threatening, and Niantic's announcement of the sale of its games and location data to Scopely, which is owned by the Saudi Arabian sovereign wealth fund, is enough to trigger my spidey sense.

One can request deletion of the account and associated data from within the app if still installed, but it is not necessary to reinstall if already gone. Niantic has a request form to delete a Pokémon GO account. If you don't remember your account name, search your Inbox for the pleading entreaties to come back to the game — it went on for years.

After submitting the deletion request, Niantic sent an email requiring that I reply with a code to confirm the deletion within 30 days. Right now I'm trusting that they will actually delete the data: one person's information is valueless, there isn't a reason to lie about doing so.

Google Photos Takeout Download using Firefox

Four months ago I exported all photos from Google Photos to import into immich, and scheduled followon Takeout runs every two months. I had naively assumed the subsequent exports would be incremental changes from the first one, but they are instead complete exports again. Two months later, download of the first scheduled Takeout repeatedly failed until Google disabled the download links, leaving me unable to download my photos at all.

After another two months, I made another attempt with the next scheduled export. I tried downloading the first archive using Chrome, and it failed twice. I switched to Firefox to download instead of Chrome, and it worked much better. Firefox appears to not give up so quickly and keeps trying. I was able to download all fifteen ZIP archives, fifty Gigabytes each, with only one download failure where I had to start it again.

Hurray!

OPNsense 25.1 and ZFS

OPNsense 25.1 has been released. I'll update in a week or two, it looks neat.

My OPNsense instance is a VM running on a Proxmox host, where Proxmox uses ZFS as its storage. I doubt the ZFS support within OPNsense will be applicable, I think it sees a raw block device. I wouldn't want OPNsense to create a ZFS filesystem using the blocks which reside within the Proxmox ZFS filesystem. While I'm sure it would work, it seems like it would just be confusing without really being beneficial.

Family Use of Signal Messenger Status Report

About six weeks ago we moved our family chat over to Signal Messenger after considering alternatives WhatsApp and Telegram. We are a mix of very technical, somewhat technical, and non-technical users. Signal has been quite usable.

• We have 1:1 conversations between each of us, and a Family group chat.
• We've used it for group video calls and voice, text and images.
• We paste silly GIFs and use emoji to react to things.

It is, quite simply, fine. We use it for all of the important conversations now.

A+, would recommend. If you are looking for alternatives to WhatsApp, because reasons, Signal is fine for groups of all sorts.

Apple Photos to immich

In my continuing quest to ensure that we have local copies of all cloud data like photos, I re-discovered that we had about 11,000 pictures in Apple Photos from when we had an iPhone in the family.

iCloud Photos Downloader (icloudpd) is a command line utility which uses Apple's API to download your files from Apple Photos. Apple's API seems quite good, one can download the original resolution files without restriction or limit. icloudpd prints each filename to stdout as it runs. It took about 5 hours to download 11,000 photos and videos, 376 GBytes of data altogether.

Once downloaded to the local filesystem, immich-go imported the files to immich while suppressing duplicates as it went. Of the downloaded files, less than half were new. The rest had apparently made their way to Google Photos at some point, and already imported into immich.

As an added bonus with the photos deleted, we no longer need to pay Apple for so much storage and were able to drop down to a less expensive tier. We now have just enough to back up the iPads.

Daily Google Drive backup using rclone

I still make regular use of Google's Docs, Sheets, and so on but make regular backups to a local drive which is itself backed up off-site. I've settled on the following script, run from cron in the middle of the night. It sends email on failure, and reports success on Mondays just so I'll see that it is working. It is saved as /usr/local/bin/gdrive_sync.sh.

root@pve:~# cat /usr/local/bin/gdrive_sync.sh
#!/bin/sh

tmpfile=$(mktemp)
/usr/bin/rclone sync --fast-list --transfers=32 --create-empty-src-dirs \
	--exclude-if-present=exclude-from-rclone-sync \
	--drive-acknowledge-abuse \
	denny-at-example-com-google-drive-backup: \
	/pool1/GDrive/denny@example.com > ${tmpfile} 2>&1

if [ $? -ne 0 ]; then
	echo rclone Failed
	rm -f ${tmpfile}
	exit 1
fi

extra=$(grep -v -e "Duplicate object found in source" \
        -e "Duplicate directory found in source" ${tmpfile})
rm -f ${tmpfile}

if [ "${extra}" ]; then
	echo rclone errors found
	echo ${extra}
	exit 1
fi

dow=$(date +%w)
if [ ${dow} -eq 1 ]; then
	# Report success once per week
	echo Successfully backed up denny@example.com Google Drive
fi

exit 0

Google Photos Takeout failure

Two months ago I exported all photos from Google Photos to import into immich, and scheduled followon Takeout runs every two months. I had naively assumed the subsequent exports would be incremental changes from the first one, but they are instead complete exports again. Oh well.

More significantly though, they seem to require re-entering my login every 20 minutes or so. When I click on a download link if I haven't logged in within the last few minutes I am asked to login again, but also downloads which do not complete within 20 minutes seem to stop. Clicking "resume" in the Chrome download window doesn't succeed.

 

Once this has happened enough times, Takeout disallows trying to download again.

 

ZIP archives #7 and #8 are now inaccessible to me.

I don't recall needing to login so often during the last export, two months ago. Though the downloads did sometimes fail, I also don't recall having the resume download fail because of the need to login again. It probably did not change in the intervening two months, but somehow I'm running into it this time.

Google Takeout really is a wonderful thing, but I'm going to have to do it again and — I guess — be especially careful about when to download the links. Do I have to be ready to click Resume immediately? That seems primitive.

The Running of the Proxmoxes

I update Proxmox every 1-2 years.

Today was the day.

Success!

Installing Signal is Simple

In researching Signal Messenger I was left with the impression that it was difficult to use and tryig to get the whole family to use it would be painful. Having now finished getting it set up on everyone's phone I have to say: it was not difficult at all.

We each established a 1:1 channel with each other, and a group chat for the Family. I and one of the teenagers are admins of the Group. We've also used it for a 1:1 video call between an Android phone and an iPhone.

So far, so good.

Tailscale certificates with NextCloud

I run a self-hosted NextCloud instance within the home, and use Tailscale to access it while out and about. This entailed editing /var/www/nextcloud/config/config.php to add trusted_domains:

'trusted_domains' =>
array (
  0 => 'localhost',
  1 => 'nextcloud.tails-scales.ts.net',
),

As using the default self-signed certificate is annoying, I installed a Tailscale certificate instead. A script run from crontab each week automatically renews the certificate:

#/bin/bash

out=$(tailscale cert --cert-file /etc/ssl/certs/tailscale.crt \
                     --key-file /etc/ssl/private/tailscale.key \
                     nextcloud.tails-scales.ts.net)

if [ $? -ne 0 ]; then
  echo tailscale cert failed
  exit 1
fi

# No new certificate needed, just quietly exit
if echo ${out} | grep -q unchanged ; then
  exit 0
fi

echo tailscale cert updated, reloading apache
systemctl reload apache2