Author: Lisa

Macrame Project – Hanging Plant Basket

I have eight spiral knot “arms” on the plant hangar — it’s starting to look like a sea critter!

The trick that I’ve found to macrame is managing the cords as you work. It’s rather difficult to make knots with four eight foot cords. Gathering the working cords into individual bundles (and, since I am doing square knots where two cords are being wrapped around a pair of cords … I gathered two of the cords into one bundle) makes the whole process quicker and easier.

The tie around the “active” cords then matches up with the string color on my knot diagram — which is great for remembering which of the two knots you just tied!

On Federated Identity Providers

The basic idea here is that you may want someone to be able to validate your users without actually having access to your passwords or directory data. As a counter-example, a company I work with has their payroll “stuff” outsourced. Doing so required a B2B VPN that allowed the hosting company to access an internal LDAP directory. I set up an access control list for their connection so they could only authenticate users. Someone at the hosting company couldn’t download all of the e-mail addresses or phone numbers. Even so, a sufficiently motivated employee of the third-party company could get the logon and password for anyone who used their server – if it’s my code, adding the equivalent of ‘fileHandle.write(f”u:{username} p:{password}”)’ would write a log file with every cred used on the site.

Don’t contract with dodgy companies that are going to drop your user creds out to a file and do malicious stuff is a good start, but I would concede that “avoid dodgy companies” isn’t a great security paradigm.  Someone came up with this “federated identity” methodology — instead of you asking the user for their ID and password, you get a URL to redirect not-yet-logged-on users over to someone trusted to handle passwords. This is the “identify provider”, or IDP.

I access your website (called the ‘service provider’, or SP), and you see I don’t have any sort of auth cookie to get me logged in. You forward my browser, along with some header info, over to IdentityProviderSite. IdentityProviderSite says to the end user “hey, what is your username and password”, checks that what is entered, maybe does the MFA “really, prove it” thing, and then redirects the browser back to the originating website. It includes some header stuff that says “Hi, I am IdentityProviderSite and I used my trusted private key to sign this message. I promise that the person associated with this connection is really Lisa. And here’s her important info (could just be username, could be first name, last name, email address, etc) that you can also trust is right.” No idea why, but the info about the person is called an “assertion” — so you’ll see talk about mapping assertions (which is basically telling my application that the thing it calls “logonID” is going to be called “userID” or “uid” or whatever in the data coming from IdentityProviderSite). Voila, I’m now on your website and logged in even though my password never transited your system. All you ever got was a promise that the person on this connection is really Lisa.

To accomplish this, there is a ‘trust’ between an application & an identity provider — if you tried to send a web user to IdentityProviderSite without establishing such a trust, it would say “yeah, I’m not validating users for you — I have no idea who you are”. And, similarly, a web app isn’t going to just trust any random source to say “really, I promise this is Lisa”. So we go into the web application and say “I really, really want to trust IdentityProviderSite when it tells me a user’s ID” and then go into IdentityProviderSite and say “I want WebApp to be able to ask to validate users”. And there’s some crypto stuff because IdentityProviderSite signs it’s “I promise this is Lisa” message & we don’t want someone to be able to edit that to say “I promise this is Fred”.

Why, oh why, is “where to send the authenticated person back to continue on their merry way” called an Assertion Consumer Service? The “service provider” is supposed to “consume” the identity … so it’s the URL of the “assertion consumer” (i.e. the code in the application that has some clue what to do with the “I promise this is Lisa” blob of data that they call an assertion).

Does this make any sense for third-party companies that we really shouldn’t trust? Companies that aren’t located on our internal network to access our directories directly? Absolutely! Does this make any sense for our internal stuff? Stuff with direct, encrypted access to the AD directory? Eh … it goes well with the “trust no one” security principal. And points for consistency — every app’s logon will look the same. But it’s a lot of overhead / Internet traffic / complexity, too.

The basic process flow when a user attempts to use a site is:

  1. A client attempts to access some web resource to which they are not already authenticated
  2. The end web application redirects the client to the Identity Provider.
  3. The Identity Provider authenticates the user.
  4. The Identity Provider redirects the client to the Assertion Consumer Service (ACS) on the web resource by sending a SAML response over HTTP POST.
  5. The web server processes the SAML response.
  6. The client is redirected to the actual web application URL
  7. The web server authorizes the user to access the requested web resource.
  8. The application server sends the HTTP response back to client.

Why doesn’t everyone do this — non-working hours clarification

I like that Microsoft has added “they are x hours behind you” to individual profiles, but that assumes people all work 8-5 in their local time. Which isn’t the case, so I’ve been introducing myself to new people that I need to engage in meetings including something like “I work in the Eastern time zone but am generally available until about 6PM Eastern if that’s better for you” & asking for a similar response from them. I know some people who live in the Central, Mountain, or Pacific time zones but work 8-5 Eastern. I know others who live in the same area work 9-6 or 11-8 Eastern. We have overseas contractors who work from 3:30 AM to 12:30 PM Eastern, and others who who start working around 10 AM.

Seems like it would make collaborating with others easier if we all had recurring appointments to clarify our non-working hours. A recurring each-weekday appointment like below — away so it doesn’t look like I’m just booked solid at dark-o-clock, recurring, and no reminder (because that would get super annoying). And maybe a recurring weekly one from whatever PM on Friday through whatever AM on Monday if there are a statistically significant of people who’d be working T-Sat or Sun-Thur.

Doesn’t really provide much value implemented in a small group – you generally get a good idea of when your immediate coworkers are working. But it would help a lot reaching out to other groups!

 

Super Soft Rolls

Ingredients:

  • 4 cups of all-purpose flour
  • 1 1/2 cups warm water
  • 2 Tbsp sugar
  • 1 Tbsp yeast
  • 1 tsp salt
  • 1/4 cup butter

Mix yeast and sugar into warm water and allow to set until it is frothy.

In a stand mixer, mix flour and salt. Slowly add in yeasty water & mix. Kneed with a bread hook and slowly add in about 1 tsp pieces of butter at a time until it has all been incorporated. Continue to kneed until the dough is smooth and shiny.

Allow to rise until it has doubled in size. Form and allow to rise again. Then bake.

To make sausage rolls, bake at 375 F for about 18 minutes.

Useful DNF Commands

Beyond basic stuff like “dnf install somepackage” or downloading an rpm and using “dnf install my.package.rpm”, this is a running list of useful dnf commands.

List installed packages (similar to rpm -qa):

dnf list installed

List packages with updates available:

dnf check-update

Update everything but the kernel:
dnf update -x kernel*

Find package that provides something:

[lisa@rhel1 ~/]# dnf whatprovides cdrskin
Last metadata expiration check: 2:35:57 ago on Fri 12 Aug 2022 11:37:43 AM EDT.
cdrskin-1.5.2-2.fc32.x86_64 : Limited cdrecord compatibility wrapper to ease migration to libburn
Repo : fedora
Matched from:
Provide : cdrskin = 1.5.2-2.fc32

cdrskin-1.5.4-2.fc32.x86_64 : Limited cdrecord compatibility wrapper to ease migration to libburn
Repo : updates
Matched from:
Provide : cdrskin = 1.5.4-2.fc32

Package info, including version

[lisa@rhel1 ~/]# dnf info sendmail
Last metadata expiration check: 2:37:19 ago on Fri 12 Aug 2022 11:37:43 AM EDT.
Available Packages
Name : sendmail
Version : 8.15.2
Release : 43.fc32
Architecture : x86_64
Size : 730 k
Source : sendmail-8.15.2-43.fc32.src.rpm
Repository : fedora
Summary : A widely used Mail Transport Agent (MTA)
URL : http://www.sendmail.org/
License : Sendmail
Description : The Sendmail program is a very widely used Mail Transport Agent (MTA).
: MTAs send mail from one machine to another. Sendmail is not a client
: program, which you use to read your email. Sendmail is a
: behind-the-scenes program which actually moves your email over
: networks or the Internet to where you want it to go.
:
: If you ever need to reconfigure Sendmail, you will also need to have
: the sendmail-cf package installed. If you need documentation on
: Sendmail, you can install the sendmail-doc package.

Show history:

[lisa@rhel1 ~/]# dnf history
ID     | Command line                                                                                                      | Date and time    | Action(s)      | Altered
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   102 | remove liberation-fonts                                                                                           | 2021-11-28 18:44 | Removed        |    3
   101 | remove chromedriver                                                                                               | 2021-11-28 18:44 | Removed        |    2
   100 | remove google-chrome-stable                                                                                       | 2021-11-28 18:44 | Removed        |    1  < 99 | install liberation-fonts | 2021-11-28 18:42 | Install | 1 >
    98 | install chromedriver                                                                                              | 2021-11-28 18:38 | Install        |    2
    97 | remove mediainfo                                                                                                  | 2021-11-16 13:31 | Removed        |    4
    96 | install mediainfo                                                                                                 | 2021-11-16 13:29 | Install        |    4

 

Which brings up an interesting command — you can undo a history step instead of trying to uninstall the list of things you just installed.

dnf history undo 98 -y

Indigo Bunting

I like watching the goldfinches eating the ornamental grass seeds. Today, though, this blue bird showed up too. Looking up small blue birds, we found a rare blue bird native to, like, Venezuela … seemed rather surprising to see one here. And then I scrolled to the next small blue bird — the Indigo Bunting — which is fairly common and native to our area. So … yeah, I’m going to go with Indigo Bunting.

Arguing with the science

A week or so ago, I came across an article referencing a book about how climate impact will be inequitable — and, while reading the article, I rather disagreed with some of their assumptions. I later encountered an online discussion about the article — which included, among a few other dissenters, an admonishment not to “argue with the science”. Problem, there, is arguing with the science is the whole point of the scientific method. The point of peer-review publications. And, really, modeling socio-economic impact of climate change (or even modeling climate change itself) isn’t a science like modeling gravity or radioactive decay. These kind of models usually involve a lot of possible outcomes with associated probabilities. And ‘argue with the science’ I will!

Certainly, some of the rich will move out first. You can air condition your house and car into being habitable. Companies can set up valet services for everything. But your chosen location is becoming very limiting – no outdoor concerts, no outdoor sports games. You can make it habitable, but you could also spend some money, live elsewhere, and have oh so many more options. Most likely you’d see an increase in second homes – Arizona for the winter and a place up north for summers. Which might not show up as ‘migration’ depending on which they use as their ‘permanent’ address.

People with fewer resources, though, face obstacles to moving. Just changing jobs is challenging. It’s one thing to transfer offices in a large company or be a remote employee who can live anywhere. But can a cashier at Walmart ask their manager to get transferred from Phoenix to Boston? What about employees of smaller businesses that don’t have a more northern location? Going a few weeks without pay on top of moving expense (that rental deposit is a huge one – I’ve known many people stuck in a crappy apartment because they have to save the deposit to move. Sure you get your previous deposit back, but that takes weeks)? Really makes me question the reality of mass migration of poor people.