Recovering from a hack

At the end of last week, I got a message from my sister about a problem with her email account. It is a Google Apps for your Domain account and luckily, I don’t manage it! Around the same time I got her message, I received email from Google that her account was suspended. Turns out when I setup the Google account, I added an admin account for me and had email forwarded to my main email address. This turns out to be a good thing as I was able to reset her password and get her going again. My sister explained that she had checked her email from her work Windows machine and it had some type of virus/malware on it and that caused her account to be compromised. Ouch. Like a good brother, I helped get things going again and told her (and the rest of my family) to enable 2 factor/2 step authentication everywhere it was available. In addition, I told her never to check her Google email from her work computer and just use her phone. That’s probably good advice; don’t use machines that aren’t under your control if you can help it. Email can wait and with a smartphone, it is easy enough to check mail on the phone.

Her email address (not the account) was then used to send a bunch of spam. Unfortunately, there isn’t much that can done about it. However, since I have control over the DNS for her domain, I setup SPF and DKIM so that any service that implements either or both of these will mark any mail that doesn’t originate from Google servers as spam. Email that originates from a server not identified by SPF will have something like this in the header:

Received-SPF: fail ( domain of person@example does not designate as permitted sender)
client-ip=; Authentication Results:;

spf=fail ( domain of person@example does not designate as permitted sender)

Whereas legitimate email will look like this:

Received-SPF: pass ( domain of designates 2607:f8b0:400e:c03::232 as permitted sender)
client-ip=2607:f8b0:400e:c03::232; Authentication-Results:;

spf=pass ( domain of designates 2607:f8b0:400e:c03::232 as permitted sender); dkim=pass

(This SPF pass also shows a DKIM pass.)

Many providers (such as Gmail) use SPF and DKIM to mark messages as spam; Gmail doesn’t flat out refuse the email, but some providers will. For anyone that receives spoofed email from a person whose domain uses SPF and DKIM, I’d recommend letting the provider know about this. SPF has been around for years and takes just a few minutes to setup.

While email is still going out using my sister’s email address, there is absolutely nothing she (or I) can do about it.

Lessons learned:

  1. Turn on SPF and DKIM on domains.
  2. Use 2 factor/2 step authentication where available.
  3. Don’t use untrusted computers.

I thought one hack related problem was enough for a week, but the world thought I could handle another. While I was investigating an SSL problem at work, I checked this blog to make sure that everything was using SSL. I have now redirected all traffic to SSL and should get the lock icon in the browser bar. In Safari, the lock icon only appears if ALL elements on the page use SSL, so I went through last week and make sure that all elements, including the Amazon links, used SSL. When I loaded my page, I saw the lock icon and then saw it go away. I used the tools in Safari to see that there were some elements loading off unknown websites. Google searches yielded information about some malware on Windows machines affecting WordPress sites. OK, I don’t use Windows except in limited cases and don’t use it to browse the web. I started digging around and found out that the header.php file in many of the themes on my site had some JavaScript injected in them that was obfuscated and when it was executed, injected that malicious code that loaded http (not https) sites. After I removed all the themes, except for 1 and replaced the theme I used, the malicious code was gone. I changed my WordPress password and that should have been that.

I backup my virtual server daily and then sync them to my laptop, so I started going through the backups to figure out when the code was modified. It appears that the code was modified right around when WordPress 4.3.1 came out. That is quite coincidental and scary. I couldn’t pinpoint the exact date or method of injection, but WordPress is a constant target for hacks and is patched all the time for security issues.

So now I’ve cleaned up this mess and disabled a bunch of plugins. While I hope this doesn’t happen again, I’m not sure what I can do to protect my site. I’ll keep a closer eye on the logs and see if I notice anything.

Dealing with this kind of thing keeps me up at night and gives me heartburn. It is too bad that criminals and miscreants don’t have better things to do than to cause problems for others. My wife believes in karma, and I’m sure that those that perpetrated these hacks will get what’s coming to them.

Looking for my next car

[Updated @ 3:50 pm with a line I forgot about changing needs.]

I currently drive a 2003 Toyota Highlander that has been treating me well since I bought it. I don’t drive that much and the car hasn’t had any problems. However, I’d like to get a new car before I start running into problems (based on my low mileage, that could be a long way off) and to get some more modern features found in cars. Another major reason to move away from the Highlander is that my needs have changed since I got it; I don’t haul around stuff and don’t usually haul people around besides my family. Earlier this year, I installed a new stereo which has been great and has breathed some new life into my car. Ever since my wife got her Honda CR-V 8.5 years ago, I’ve been interested in the Acura RDX which is kind of the luxury version of the CR-V. I had convinced myself that I was going to get this car and this was going to be the year. However, when the 2016 model came out, it didn’t have Apple’s CarPlay, so I put off getting a new car for another year.

A few months ago, I saw a post that Audi was going to start shipping it’s A3 plug-in hybrid in the US in October. I hadn’t thought about a hybrid, let alone a plug-in hybrid, but it looked interesting. As I don’t drive much and the touted range of this car on electric was about 30 miles, I could possibly do most of my driving on electric. (In a few years I’m going to look at solar which would make charging a plug-in a lot less.) I have been driving an SUV for a long time, so going back to a sedan was going to be a change. All the features on the Audi look like it would meet my needs (luckily it isn’t diesel :-)), except that it doesn’t have CarPlay and Audi won’t give me a straight answer on if the A3 will be upgradeable to it next year; other Audi models will get CarPlay, so I’d hope it is possible.

The styling on the A3 e-Tron isn’t bad and I’ve been noticing more and more of the older A3 sport backs on the road. A few weeks ago, I noticed I was driving behind an A3 and saw the e-Tron logo with Michigan plates. Interesting because the car hadn’t been released, yet. After a search online when we got home, I found out that Audi was test driving the A3 in San Diego and anyone could sign up. So the next day I took the car for a drive. Driving the car wasn’t bad, but I’m not used to a sedan. It was quiet in all electric and seemed to perform OK, but the Audi guy just had me go in a big circle and I didn’t get a chance to take it on the highway. I’m going to need more time with this car to see if it is all that I want; it didn’t wow me out of the gate, so maybe that is a bad sign.

Some plug-in hybrids have federal tax credits available and in looking at the chart, I can see that most of the manufacturers don’t make the plug-in hybrids every year. The number of choices for plug-in hybrids is quite small, so I may have to look elsewhere for my ideal car.

At the same time, I started looking at the gas mileage on the Acura RDX and it basically stinks. As I mentioned, I don’t drive much, but it pains me to spend money on a new car that gets gas mileage only slightly better than my 13 year old Highlander (thanks to my Automatic, I can see I get around 20 mpg on average). So now I’ve crossed the Acura off the list and my list of cars to look at consists of just the Audi. Looking at other plug-in hybrids (they really seem to make a lot of sense), they’re all ugly (what is up with this one)?

My needs are simple, my wants are more extensive. I definitely don’t need a new car, but my wife keeps saying that I deserve one (I’m not going to argue with her :-)).

The San Diego International Auto Show is coming in January, so I’ll use that opportunity to check out what cars could be on my short list.

Unfortunately I have a feeling that I’m not going to find exactly what I want and then I won’t get anything; that will be fine for my wallet, but my wife said I deserve a new car, so I can’t lose the opportunity!

VLAN on a home network

When I first setup IP cameras over 2 years ago, I purchased a Cisco PoE switch. I didn’t need a managed switched, but at the time, it was the only PoE switch I could find without a fan (I probably should have looked harder). The switch has so many options like locking down ports based on MAC address, VLAN tagging, even some routing capabilities.

I thought about setting up a VLAN to isolate the camera traffic so that only the server recording the video could access the cameras, but decided against it as I couldn’t quite figure out all the pieces and didn’t see the point in doing so.

After purchasing the EdgeRouter Lite, I had to setup a VLAN for my guest network in order to prevent guest users from having access to the rest of my network. I don’t have too many guests over, but I figured it was a good idea and in order to emulate my Time Capsule, I set it up.

Over the past few weeks, I’ve been testing out an enterprise grade WiFi access point (more on this in a future post) and one of the features it has is the ability to assign a VLAN to a wireless network. Since I already had experience setting up a VLAN, I started playing with this feature and thought about using a VLAN for my WLAN traffic. Why would I do this? That’s a really good question. As this is my home network, I wanted the wireless clients to be able to access resources on the wired network and vice versa. A VLAN is designed to isolate traffic and by trying to combine the networks, I was basically defeating a main reason to use a VLAN. However, I went ahead with my experimentation and was able to put wireless clients on a VLAN. The setup was easy and my clients connected. However, I couldn’t use auto discovery like mDNS and UPnP that many services use on a home network.

mDNS was solved using:

set service mdns reflector

and this post got UPnP discovery working. I did have some high CPU load on my router with this however.

I got everything working and was fairly pleased (except for the high CPU usage on the router). A Ubiquiti employee pointed out the obvious to me that doing what I wanted defeated the purpose of a VLAN, so I really started thinking about what I was trying to do. I love statistics, so I guess I really just want to know how much traffic is going over the wireless network.

The other reason for doing VLANs is to handle more than 254 (or so) devices on a network. My home network currently has 38 devices, so I haven’t hit this limit, yet. If I was running a small business, I’m sure that I could hit this limit fairly quickly and VLANs would make a lot of sense. In that case, the mDNS reflector and UPnP broadcasting could bog down the router. In addition, in order to route traffic to a VLAN, the traffic has to go through a router and that will increase load on the router.

So, I’ve learned a bit about VLANs, UPnP, and mDNS. I haven’t accomplished anything in this experiment as my network still works the same way as it did before I started this.

Review: Aeon Labs Minimote

As some can probably tell from my writings, I’m very into home automation and have my whole house setup so that it basically runs itself (OK, not really). I have lots of “scenes” programmed to respond to various triggers such as wall switches, motion detectors and time of day. The way our house is setup, we have a very large sliding glass door leading to the backyard which makes it hard to mount any switch near it. At night we let the dog out and turn the light on for him; if the door was closed, opening the door at night causes the light to turn on. If the door was open like it has been all summer, the light only comes on when the dog passes the outside motion sensor.

Since I’m lazy (why else would I automate so many things?), I wanted an easy way to turn the lights on and then turn them off without getting off the couch. I saw a special on the Aeon Labs Minimote, so I bought 2. This is a Z-Wave remote that integrates into Z-Wave automation systems. This version was an older model that could have its firmware flashed to the new model; only difference being the markings on the buttons and possibly the plastic.

I was quite excited to get these remotes as I’d be able to put one near the couch and turn the outside lights on or off. My excitement was tempered as the version of VeraEdge that I was running didn’t work with the remote. The newer version of the firmware did, but reports were that there were issues with it. So when newer firmware came out, I upgraded my Vera Edge, crossed my fingers and paired the remote. Setup of the remote was quite simple and I assigned “scenes” to the buttons. The remote has 4 buttons and each button responds to a short and a long press giving me 8 possible scenes to run. I setup each button with an on scene (short press) and an off scene (long press) and put the remote by the couch.

Within a few days, I found myself regularly using the remote. The remote responded quickly and I haven’t had any problems with it. I knew I had a hit on my hands when my wife used it to turn the lights off; I haven’t labelled the buttons yet (that’s on my list), but she remembered that I said button 1 was for the backyard lights (button 2 is for the front lights; still trying to figure out what to do with the other buttons).

The remote is powered by a rechargeable battery and I have an Anker charger right next to the couch, so once it is time to charge, I just have to plug it in and won’t have to figure out where I put it.


  • Compact
  • Rechargeable
  • Easy setup
  • Works with the Vera Edge


  • Feels cheaply made; I suspect the newer model feels a little better based on the pictures I’ve seen.


If you have a Z-Wave automation system, buying this remote is a no brainer as there are times that you want to control some scene, but don’t want to go over to the wall to a hard wired controller or you don’t want to pull out a phone to run an app. The only real problem I have with this is I have no idea what to do with the second one as there are so many possibilities!

Cable confusion helps in cutting the cord

A few months ago, my parents moved to a different part of town and one of the services they had to switch was cable. Due to franchise agreements in San Diego, they had to switch providers. My dad called me and asked for advice on what cable TV package to get and I had no idea because I don’t have cable TV and have a different provider. However, we went through the shows that my parents recorded on their TiVo and with a few exceptions, the shows were all on broadcast TV. I suggested that my dad give an antenna a try as that would be a lot cheaper and he wouldn’t have to pick a package. He agree and I told him to order an Antennas Direct ClearStream Antenna

The antenna arrived a few days later, I assembled it, set it on the ground and started tuning channels. We got a ton of channels, but missed NBC, I believe. I raised the antenna up a few feet and got NBC and other channels. At that moment, the decision to just use an antenna was solidified. I put the antenna in the attic, fished the coax up there, and that was it. (My dad already had a lifetime subscription to TiVo and the current generation of TiVo boxes handle antennas without problems; I believe a few years ago this wasn’t the case.)

It has now been a few months and my parents are happy with the picture quality and the channels they get; I’m sure there are a few shows they’d like, but I’m not sure the cost justifies them. There are many options between Amazon Prime, Netflix or even buying episodes on iTunes that they’re content. My parents aren’t sports people, so not having ESPN and the like isn’t a problem.

I dropped cable a few years ago and haven’t look back. My father would have purchased a TV package from the cable company, but the choices were too overwhelming, so instead I saved him a bunch of money. Many content providers are already offering programming outside of cable which is excellent and will have to be content with just being a pipe for the Internet.

SSL Certificates on Private Networks with the EdgeRouter

These days it seems like every device on my home network has its own web server. Some of the devices have SSL enabled on them and force you to use them (http requests are redirected to https); this isn’t bad, but since the sites are accessed with an IP address or a local name (using Bonjour), browsers always give a warning about a domain name mismatch. For those that don’t know, when you connect to a secure site, the browser checks the domain name you entered with that of the certificate; if they don’t match, it could indicate that someone is trying to spoof the site. You can either ignore the warning or you can choose the option to always trust the certificate. The latter method is what I usually do, but it just doesn’t feel right and there could be security issues with this method.

Since I purchased a wildcard SSL certificate for my domain, I thought there must be a way to use it and not get browser warnings or have to accept the certificate. While browsing the forums for my EdgeRouter Lite, I stumbled upon a command that lets me basically override DNS entries. I could have setup DNS entries such as and setup a private IP address ( on my DNS provider, it isn’t a good idea to pollute DNS with private addresses and I’m not even sure my provider’s system would have allowed it.

The forums indicated I could do the following:

    set system static-host-mapping host-name inet

This simple command tells the EdgeRouter Lite’s caching DNS server to return this entry prior to using real DNS servers. I setup the SSL certificate on a few of my internal boxes, used that command and now I use to securely access the devices and no longer get browser warnings.

The EdgeRouter Lite has so many options that I’m just starting to scratch the surface on them and how I can use them!

Could we get Internet choice in San Diego?

Today Google announced that they are exploring bringing Fiber to San Diego. This is excellent news, but it will be a long time before anything actually happens. With Time Warner Cable bringing 300 Mbps/20Mbps connections to us later this year and possibly having gigabit from Google, consumers may actually have a choice in San Diego.

I’m not holding my breath that we’ll get Google Fiber here because we are a large city with aging infrastructure in many areas (in my neighborhood, we don’t have power cables in conduit and I suspect that we don’t have conduit in the street for cable or telephone). Also as my son correctly pointed out, San Diego has cable franchise agreements with Time Warner Cable north of Interstate 8 and with Cox Communications south of Interstate 8. Why would Google Fiber be different than cable? It would provide the same services that cable provides, telephone, Internet, and TV. I suspect that the city council would have to do something about the franchise agreements.

I’m crossing my fingers that Google Fiber will come, but in the meantime barring any problems with Time Warner Cable, I’ll be getting 200 Mbps service in a few months.