diff --git a/CHANGESTODO b/CHANGESTODO
index b48985a..c16674e 100644
--- a/CHANGESTODO
+++ b/CHANGESTODO
@@ -1570,6 +1570,23 @@ ________________________________________________________________________
   (later people called this technique 'CERTIFICATE PINNING')
 
 == PSYC CLIENTS ========================================================
+
+- PSYC clients are currently not detected as being secure even if they
+  connect by Tor, TLS or localhost. This is because the net/psyc/user object
+  as such isn't connected and the attempt to find the corresponding circuit
+  opens up the question: what if the user has several clients linked? Does
+  a secure one qualify for the entire user object to be trustworthy? What if
+  there is another client that isn't secure? Possible approach to solve the
+  issue: Disallow any password-protected user to be logged in over insecure 
+  channels at any time. This is probably a good idea anyway as it respects
+  the civil rights of *other* users that interact with this user in the
+  expectation that conversations be private. This has the side effect that 
+  PSYC users are forced to register before entering @welcome, unless we also
+  do the refactoring described in MULTIPLE CLIENT INTERFACES and somehow fix
+  that aspect in the process. Or we just walk through all the links and make
+  sure all of them are secure, but that raises the problem of dealing with a
+  new insecure client connecting.
+
 - tg runs into trouble using _do_enter and _do_leave. apparently the enter-echo
   is not accepted by the UNI and thus does not make it into _list_places
 - _do_leave does not forward the echo from remote places back to the client
@@ -1582,8 +1599,6 @@ ________________________________________________________________________
 ? psyc clients haben uferlose idle times
   und sie altern nicht
 
-? cryptochat raum?
-
 ? how to improve _request_store and _retrieve?
   look at http://asg.web.cmu.edu/acap/ for ideas
 
diff --git a/bin/psyconf b/bin/psyconf
index 4a9f358..aeb611c 100755
--- a/bin/psyconf
+++ b/bin/psyconf
@@ -613,7 +613,7 @@ X
 # TODO: generate a psyced.gdb file kind of like this
 	print <<X if 0;
 file /bin/psyclpc
-run -DDEBUG=1 -u 4404 4404 2323 6667 5222 9999 etc. whatever flags necessary
+run -DDEBUG=1 -u 4404 4404 2323 6667 5222 6697 etc. whatever flags necessary
 X
 
 # PSYCED INIT.D SCRIPT
diff --git a/config/blueprint/ports.h b/config/blueprint/ports.h
index a17620f..2ba2072 100644
--- a/config/blueprint/ports.h
+++ b/config/blueprint/ports.h
@@ -14,7 +14,7 @@
 #define	HTTPS_PORT	34443
 
 #define	IRC_PORT	6667
-#define	IRCS_PORT	9999
+#define	IRCS_PORT	6697
 
 #define	JABBER_PORT	5222
 #define	JABBERS_PORT	5223
diff --git a/config/openwrt/ports.h b/config/openwrt/ports.h
index d37b141..46a6287 100644
--- a/config/openwrt/ports.h
+++ b/config/openwrt/ports.h
@@ -16,7 +16,7 @@
 #define	HTTPS_PORT	34443
 
 #define	IRC_PORT	6667
-#define	IRCS_PORT	9999
+#define	IRCS_PORT	6697
 
 #define	JABBER_PORT	5222
 #define	JABBERS_PORT	5223
diff --git a/config/psyced.ini b/config/psyced.ini
index 490a028..1afe9dd 100644
--- a/config/psyced.ini
+++ b/config/psyced.ini
@@ -125,7 +125,11 @@ _jabber_clients = 5222
 _jabber_clients_encrypted = 5223
 _IRC = 6667
 _IRC_hidden = 6667
-_IRC_encrypted = 9999
+; according to https://tools.ietf.org/html/draft-butcher-irc-url-04
+; we should be using 994, but then you better do a firewall forward.
+; then again https://tools.ietf.org/html/rfc7194 favors 6697.
+; who knows what actual ircs: URL implementations will do?
+_IRC_encrypted = 6697
 _HTTP = 33333
 ;_HTTP_hidden = 80
 _HTTP_encrypted = 34443
diff --git a/install.sh b/install.sh
index 86974f2..aa98899 100755
--- a/install.sh
+++ b/install.sh
@@ -22,10 +22,11 @@
 #
 # psyclpc as obtained from http://lpc.psyc.eu
 driver="psyclpc"
-driverver="20111122"
+driverver="20160417"
+driversha256="ad403ad4243fea52d79b1d89d9ad30e2f6a89b4263cf13f329386d03cb6d4fbf"
 lpcbaseurl="http://www.psyced.org/files/"
-zip="bz2"
-zipcmd="bzip2"
+zip="xz"
+zipcmd="xz"
 
 # useful for debugging - see what files it would produce
 exit="exit 1"
@@ -47,8 +48,14 @@ then
 
 !!${hi} HEY YOU, PORTAGE USER ${lo}!!
 If you are running gentoo/portage you should try out our beautiful ebuilds
-at http://www.psyced.org/files/gentoo.tar.bz2 instead of this installation
-script. Stop it now.
+in the youbroketheinternet-overlay instead of this installation script.
+Stop it now and do this...
+
+torify git clone git://git.cheettyiapsyciew.onion/youbroketheinternet-overlay
+
+or this instead:
+
+git clone git://git.psyced.org/youbroketheinternet-overlay
 
 ${hi}Warning: OLD-SCHOOL install.sh STARTING${lo} ...
 
@@ -193,6 +200,8 @@ if ! test `ls -1 ${driver}-*tar.${zip} 2>/dev/null`
         if wget "${lpcbaseurl}/${driver}-${driverver}.tar.${zip}"
         then
 	    echo "${driver} successfully retrieved."
+	    echo "Expect this checksum:\n\n${driversha256}"
+	    sha256sum ${driver}
 	else
 	    echo "${hi}ATTENTION: Unable to download ${driver}"
 	    echo "${hi}ATTENTION: ${lo}You have no ${driver}-*.tar.${zip} in this directory."
diff --git a/place/nemesis.c b/place/nemesis.c
index 4e5a3ec..832b36b 100644
--- a/place/nemesis.c
+++ b/place/nemesis.c
@@ -1,11 +1,17 @@
 #include <net.h>
 
-#define	CONNECT_TELNET	"nemesis.de", 2000
+//#ifdef BRAIN
+# define	CONNECT_TELNET	"nemesis.de", 2000
+//#else
+//# define	CONNECT_TELNET	"nemesis.de", 2001  // NemTest
+//#endif
+
 #define	ON_CONNECT	emit("guest\n");
 #define	ON_ANY		NET_PATH "tn/outgoing"::msg(source, mc, data, vars);
 
 #include <place.gen>
 
+// to do this properly, we need a systematic way to redo prompts FIXME
 parse(all) {
 	// remove Nemesis' guest prompt.. why was i so funny
 	// back then to implement several prompt chars?
diff --git a/world/default/en/jabber.textdb b/world/default/en/jabber.textdb
index f8618c3..effe189 100644
--- a/world/default/en/jabber.textdb
+++ b/world/default/en/jabber.textdb
@@ -363,6 +363,11 @@ _notice_typing_active
 _notice_typing_gone
 |<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]'><gone xmlns='http://jabber.org/protocol/chatstates'/></message>
 
+_notice_telnet_verbatim
+|<message from='[_INTERNAL_source_jabber_bare]' to='[_INTERNAL_target_jabber]' type='groupchat'>
+|	<body>[_text_verbatim]</body>
+|</message>
+
 _notice_place
 |<message from='[_INTERNAL_source_jabber_bare]' to='[_INTERNAL_target_jabber]' type='groupchat'>
 |	<body>[_data]</body>
diff --git a/world/net/tn/outgoing.c b/world/net/tn/outgoing.c
index 9b4c30a..d290dd4 100644
--- a/world/net/tn/outgoing.c
+++ b/world/net/tn/outgoing.c
@@ -1,43 +1,73 @@
 // vim:syntax=lpc
 
+// DEBUG: FIXME
+#define _flag_log_sockets_telnet_outgoing
+
 #include <net.h>
-//#include <status.h>
 #include <services.h>
-#include <text.h>
-//#include <uniform.h>
+//#include <text.h>
+
+// this outgoing "telnet" socket thing implements both '/set mudlink'
+// for users as MUD chatrooms such as @nemesis. would be cool if it
+// actually was capable of handling telnet protocol, but the mud in
+// question isn't, either.
+//
+// for a tighter integration between psyced and MUD it would also be
+// cool to either have a native PSYC side channel, or to embed crypto-
+// graphically signed PSYC packets (using a shared secret hash) into
+// this stream.
 
 // message queueing and automatic reconnect mgmt
 inherit NET_PATH "circuit";
 
-//inherit NET_PATH "place/public";
+virtual inherit NET_PATH "output";
 
+static string connectstring;
+static object owner;
+
+send(all) {
+	// if this doesn't work, then maybe you just forgot
+	// to /set charset in your test user
+	iconv(all, SYSTEM_CHARSET, "ASCII//TRANSLIT");	// should be configurable
 #ifdef _flag_log_sockets_telnet_outgoing
-emit(all, source) {
-	log_file("RAW_TN_OUT", "%d %O\t-> %s", time(), ME, all);
-	return ::emit(all);
-}
+	log_file("RAW_TN_OUT", "%O > %O\n", ME, all);
 #endif
+	//if (function_exists("emit")) return emit(all);
+	return emit(all);
+}
 
 parse(all) {
 	next_input_to(#'parse);
 #ifdef _flag_log_sockets_telnet_outgoing
-	log_file("RAW_TN_OUT", "%d %O\t<- %s", time(), ME, all);
+	log_file("RAW_TN_OUT", "%O < %O\n", ME, all);
 #endif
-	// assumes multicaster.. fix later
-	castmsg(ME, "_notice_telnet_verbatim", "[_text_verbatim]",
+	if (all && all != "") iconv(all, "ASCII//TRANSLIT", SYSTEM_CHARSET);
+	if (owner) sendmsg(owner,
+	     "_notice_telnet_verbatim", "[_text_verbatim]",
+	    ([ "_text_verbatim": all ]));
+	else if (function_exists("castmsg")) castmsg(ME,
+	     "_notice_telnet_verbatim", "[_text_verbatim]",
 	    ([ "_text_verbatim": all ]));
 }
 
 link(ho, po) {
-	sTextPath(0, 0, "tn");
+	//sTextPath(0, 0, "tn");
 	return ::circuit(ho, po || TELNET_SERVICE);
 }
 
+config(host, port, justdoit) {
+	connectstring = replace(justdoit, " ", "\n") + "\n";
+	owner = previous_object();
+	link(host, port);
+}
+
 logon(failure) {
 	int rc = ::logon(failure);
 	unless (rc) return 0;
 	next_input_to(#'parse);
 	parse("[connected]");	// hack to maintain logon ascii graphics intact
+				// could have queued this instead:
+	if (connectstring) call_out(#'send, 1, connectstring);
 	call_out(#'runQ, 3);	// deliver the queue of messages in circuit.c
 	return rc;
 }
@@ -78,7 +108,7 @@ msg(source, mc, data, mapping vars, showingLog, target) {
 	if (abbrev("_message_public", mc)) {
 		// FIXME: should we handle the disconnect instead?
 		if (data == "quit") return 1;
-		return emit(data + "\n");
+		return send(data + "\n");
 	}
 #endif
 }
@@ -99,7 +129,7 @@ render(string mc, string data, mapping vars, mixed source) {
 	output = psyctext( template, vars, data, source);
         if (!output || output=="") return D2(D("tn/out: empty output\n"));
 	if (template == "") output += "\n";
-	emit(output);
+	send(output);
 }
 
 #endif
diff --git a/world/net/usercmd.i b/world/net/usercmd.i
index 1c8fd34..236bc37 100644
--- a/world/net/usercmd.i
+++ b/world/net/usercmd.i
@@ -143,6 +143,27 @@ input(a, dest) {
 #endif
 }
 
+#define MUDLINK //FIXME
+
+#ifdef MUDLINK
+object mudlink;
+
+mudlink(config) {
+	string connectstring, host; int port;
+	// should have mud nicknames instead, so that charsets, prompts
+	// and login procedures can be automated..
+	if (sscanf(config, "%s %d %s", host, port, connectstring)) {
+		// FIXME L8R:
+		//unless (objectp(mudlink)) mudlink = named_clone(NET_PATH "tn/outgoing", MYNICK);
+		unless (objectp(mudlink)) mudlink = clone_object(NET_PATH "tn/outgoing");
+		if (objectp(mudlink)) mudlink -> config(host, port, connectstring);
+		return 1;
+	}
+	// could produce a dedicated syntax warning here.. default is okay
+	return 0;
+}
+#endif
+
 parsecmd(command, dest) {
 	array(string) args;
 	string a;
@@ -2011,6 +2032,13 @@ tell(pal, what, palo, how, mc, tv) {
 		return;
 	}
 #endif
+#ifdef MUDLINK
+	if (pal == "$mud") {
+		unless (objectp(mudlink) && interactive(mudlink)) mudlink(v("mudlink"));
+		if (objectp(mudlink)) mudlink -> send(what +"\n");
+		return;
+	}
+#endif // MUDLINK
 #ifdef ALIASES
         // this also allows for /alias MEP MunichElectropunk
        deaPal = aliases[lower_case(pal)] || pal;
@@ -2664,6 +2692,7 @@ checkVar(key, value) {
 	string a, b;
 	array(string) t;
 
+	P3(("%O checkVar(%O, %O)\n", ME, key, value))
 	// aliases for variable names
 	switch(key) {
 	case "befehlszeichen":
@@ -2969,6 +2998,12 @@ checkVar(key, value) {
 //	case "popstarfave":
 //	case "musicfave":
 		break;	// always valid
+#ifdef MUDLINK
+	case "mudlink":
+		P0(("mudlink %O\n", value))
+		if (value && !mudlink(value)) value = 0;
+		break;
+#endif
 	case "encoding":
 		key = "charset"; // fall thru
 	case "charset":