That’s what we do in business

Avatar
by Lisa

The most telling phrase from Trump Jr’s interview with Hannity last night — “That’s what we do in business”. He continued to explain that they take whatever information is out there and then decide how to use it. Illegally garnered information about a politician that can be used to influence the decision process to TrumpCo’s advantage? He may love it, but it’s also called blackmail. And is illegal. A competitor’s business plans or IP gathered through corporate espionage? Hiring former employees of competitors for their inside knowledge or sales leads? I’m not saying I doubt that is how Trump does business, but it hardly paints a flattering picture of the organisation. And I hope that a head of the company broadcasting the company’s willingness to use illegally gathered information to the detriment of their competitors is sufficient to bring an investigation into the company’s operations as well.

Part of our support

Avatar
by Lisa

There’s a sentence in Trump Jr’s released e-mail messages that really stands out to me: “This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump”

For a group of people who have spent almost a year now denying that Russia or its government in any way supported, promoted, aided, or favored Trump … passing around an e-mail thread about something that is part of Russia and its government’s support seems ironic. But extra super odd is that no one — neither Trump Jr, nor the people to whom he forwarded the message — found the phrase worthy of remark. Like they already know about Russia and its government providing support for Trump. More like “this message is part of that ongoing situation we all know about” rather than “this message is part of some new and surprising endeavor”.

Furls Crochet Along

Avatar
by Lisa

Furls makes some beautiful crochet hooks — I picked some up a few years ago in a holiday promo coding failure (free shipping != 50$ off the order) and have been on their newsletter ever since. They’ve got a lot of cool project ideas – a lot of amigurumi critters and crochet along projects. I keep most of them, but nothing has been so awesome that I just had to do it. Until today.

This month’s crochet along project is a sun hat! I am really looking forward to making my own hat. I ordered the materials already – hopefully they’ll get here within a week so I can actually crochet along with the project.

Alternative Fact: Intentions Do Not Matter

Avatar
by Lisa

Alternative Fact: Kelly Ann Conway, in reference to Trump Jr scheduling a meeting with a Russian lawyer who promised damaging info on Clinton but was actually just tricked into scheduling a meeting to discuss adoptions: “Let’s focus on what did not happen in that meeting. No information provided that was meaningful. No action taken. Nothing”

Real fact: I think anyone who has contacted law enforcement officers when trying to put out a hit or got caught up in a solicitation sting can tell you … what you intended to do can be criminal even if your attempt is thwarted. It may be mitigating if he did not know who was offering damaging information about a political opponent. But in the middle of the DNC being hacked and information from the hacks being released (and the candidate specifically requesting the hackers find the deleted e-mail messages), wouldn’t you be suspicious of someone offering up damaging details about the opposition??

Kerberos Authentication on Tomcat

Avatar
by Lisa

I finally got around to testing out TomCat 8 and setting up Kerberos authentication for a “single sign-on” experience (i.e. it re-uses the domain logon Kerberos token to authenticate users). This was all done in a docker image, so the config files can be stashed and re-used by anyone with Docker.

First you need an account – on the account properties page, the DES encryption needs to be unchecked and the two AES ones need to be checked. The account then needs to have a service principal name mapped to it. That name will be based on the URL used to access the site. In my case, my site is http://lisa.example.com:8080 (SPNs don’t mind http/https or port numbers) so my SPN is HTTP/lisa.example.com … to set the SPN, run

setspn -A HTTP/lisa.example.com sAMAccountNameOfMyNewlyCreatedAccount

Then generate the keytab:

ktpass /out .\lisa.example.com.keytab /mapuser sAMAccountNameOfMyNewlyCreatedAccount@EXAMPLE.COM /princ HTTP/lisa.rushworth.us@EXAMPLE.COM /pass P@ssw0rdG03sH3r3

** Note about keytabs – there is a KVNO (key version number) associated with a keytab file. When security-related attributes on the account are changed, the KVNO is incremented. Aaaand you need a new keytab. This means you need to be able to get a new keytab if you plan on changing the account password, but it also means that tweaking account settings can render your keytab useless. Get the account all sorted (check off password never expires if that’s what you want, check off user cannot change password, etc) and then generate the keytab.

While you’re working on getting the SPN and keytab stuff sorted, get docker installed and running on your box. I use Docker CE (free) on my Windows laptop, and I’ve had to disable the firewall to allow access from external clients. I would expect a rule (esp one allowing anything to make an inbound connection to 8080/tcp!) would sort it, but I’ve always had the port show as filtered until the firewall is turned off. YMMV.

I create a folder for files mapped into docker containers (i.e. c:\docker) and sub-folders for each specific container. All of the files from TomcatKerberosConfigFiles are unzipped into that folder. The test website is named lisa.rushworth.us and is either set up in DNS or added to c:\windows\system32\drivers\etc\hosts on the client(s) that will access the site. And, of course, there’s a client machine somewhere logged onto the domain. You are going to need to tweak my config files for your domain.

In jaas.conf — I have debug on. Good for testing and playing around, bad for production use. Also you’ll need your SPN and keytab file name

principal="HTTP/lisa.example.com@EXAMPLE.COM"
keyTab="/usr/local/tomcat/conf/lisa.example.com.keytab"

In krb5.conf — the encryption is about the only thing you can keep. Use your hostnames and domain name (REALM). If you have multiple domain controllers, you can have more than one “kdc = ” line in the realms.

[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = /usr/local/tomcat/conf/lisa.rushworth.us.keytab
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable=true

[realms]
RUSHWORTH.US = {
kdc = exchange01.example.com:88
master_kdc = exchange01.example.com:88
admin_server = exchange01.example.com:88
}

[domain_realm]
example.com= EXAMPLE.COM
.example.com= EXAMPLE.COM

In web.xml – Roles may need to be sorted around (I’m not much of a TomCat person, LMGTFY if you want to do something with roles). Either way, the realm needs to be changed to yours

<realm-name>EXAMPLE.COM</realm-name>

Once Docker is running and the files are updated with your domain info, install the tomcat:8.0 image from the default repository. Start the container mapping all of the custom config files where they go:

docker run -detach --publish 8080:8080 --name tomcat8 --restart always -v /c/docker/tomcat8/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml:ro -v /c/docker/tomcat8/lisa.example.com.keytab:/usr/local/tomcat/conf/lisa.example.com.keytab:ro -v /c/docker/tomcat8/krb5.conf:/usr/local/tomcat/conf/krb5.conf:ro -v /c/docker/tomcat8/jaas.conf:/usr/local/tomcat/conf/jaas.conf:ro -v /c/docker/tomcat8/web.xml:/usr/local/tomcat/webapps/examples/WEB-INF/web.xml:ro -v /c/docker/tomcat8/context.xml:/usr/local/tomcat/webapps/examples/WEB-INF/context.xml:ro -v /c/docker/tomcat8/logging.properties:/usr/local/tomcat/conf/logging.properties:ro -v /c/docker/tomcat8/spnego-r9.jar:/usr/local/tomcat/lib/spnego-r9.jar:ro -v /c/docker/tomcat8/login.conf:/usr/local/tomcat/conf/login.conf:ro -v /c/docker/tomcat8/testAuth.jsp:/usr/local/tomcat/webapps/examples/testAuth.jsp:ro tomcat:8.0

A couple of useful things about Docker — the container ID is useful

C:\docker\tomcat8>docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4e06b32e1ca8 tomcat:8.0 "catalina.sh run" 12 minutes ago Up 12 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:8888->8080/tcp tomcat8

But most commands seem to let you use the ‘friendly’ name you ascribed to the container. Running “docker inspect” will give you details about the container – including its IP address. I’ve found different images use different settings: some map to localhost on my box, some get an IP address within my DHCP range.

C:\docker\tomcat>docker inspect tomcat8 | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",

Since this is an image that maps to localhost on my box, I need the lisa.example.com hostname to resolve to my laptop’s IP address. For simplicity, I did this by editing the c:\windows\system32\drivers\etc\hosts file.

Shell into the container:

docker exec -it tomcat8 bash

Update your packages and install the kerberos client utilities:

root@4e06b32e1ca8:/usr/local/tomcat/conf# apt-get update
root@4e06b32e1ca8:/usr/local/tomcat/conf# apt-get install krb5-user

Then test that your keytab is working:

root@4e06b32e1ca8:/usr/local/tomcat/conf# kinit -k -t ./lisa.example.com.keytab HTTP/lisa.example.com@EXAMPLE.COM
root@4e06b32e1ca8:/usr/local/tomcat/conf# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/lisa.example.com@EXAMPLE.COM

Valid starting Expires Service principal
07/08/2017 18:27:38 07/09/2017 04:27:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/09/2017 18:27:38

Assuming you don’t get errors authenticating using the Kerberos client utilities, try accessing the TomCat site. I’ve added a testAuth.jsp file to the examples webapp – it shows the logon method, user name, and what roles they have:

09-Jul-2017 15:42:55.734 FINE [http-apr-8080-exec-1] org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Verify that your SPN is set to the same name being used to access the site. I’m not sure why the configured service principal name doesn’t supersede the user-entered hostname. But I got nothing but auth failures until I actually entered the hostname into my hosts file and used an address that matches the service principal name.

Legalese

Avatar
by Lisa

So Trump Jr admits that he wanted to have a meeting to get damaging information about Clinton from a Russian attorney but got suckered into talking about adoptions. Sounds bad, but does it count as colluding with a foreign country to undermine a political opponent if you fail spectacularly?

Pressure Washer

Avatar
by Lisa

We got a pressure washer a few days ago. I don’t like using herbicides on the patio (well, I don’t like using them in general), but keeping the brick free of weeds is an inundating task. We’ve got some vinyl that needs to be cleaned anyway, and found a really good deal on a 2000 psi Ryobi pressure washer.

Tested it out to see if it works well and to see how clean ‘stuff’ gets with just water. Wow! I don’t know if the patio bricks have ever been cleaned. I thought they were a darker colour, but it turns out they were just REALLY grubby. It’s a messy and time consuming process – I’m planning to wear my safety glasses when I finish it up because even low velocity sand in the eyeball … not fun. But it’s a lot of fun too (tiring and ironically dehydrating, but fun). Especially when Anya wants to play in the ricocheting water like it is a sprinkler.

Here’s the difference between clean and uncleaned brick — weeds get blasted right out, dirt is cleared off the stones and from between the bricks (certainly need to get sand, between the bricks is washed clean), and nothing was used but water. We were worried about damaging the stones, but 2000 psi didn’t break anything. There was lot of mud piling up as I moved across the patio. I ended up taking a snow shovel and moving the mud off of the patio – otherwise I’d get to a point where the splash-back was making the already cleaned bits filthy again.

Once the patio is cleaned, I want to try it out on the siding and railing vinyl. Hopefully we can clean off the green stuff without detergent too.

 

Saboun Al Ghar Inspired Soap

Avatar
by Lisa

Most old civilizations have traditional artisan production processes that are hard to sustain in the modern world. Some cheeses in Southern France were sustained through government grants until EU regulations considered such support unsporting. Su filindeu pasta now only made by three people in Italy. As war ravages a country, even well sustained traditional methods become endangered. The civil/proxy war in Syria has displaced most if not all producers of صابون الغار (‘Aleppo soap’). While we may not be able to faithfully reproduce the exact process to create what may be the world’s oldest hard soap, I think it is important to preserve the knowledge of the process. The ingredients and proportions. The time and temperature of processing, how the soap is poured onto floors to cool and set whilst being walked on with wooden boards to flatten it out. How it is cut and stacked to cure.

In addition to documenting and preserving the process, derivative processes are developed to preserve some facet of the original product. Fact is, a lot of products are not protected by AOC, PDO, or any of the other “X has to be made in Y using the historic technique Z” regulations. Like the unfortunate not-Cheddar cheese that I find in many American grocery stores, Aleppo soap could be made with coconut oil and dye. And maybe that’s where the objection to cultural appropriation comes from — not an objection to someone respectfully trying to reproduce a cultural artifact but of someone bastardizing the artifact for profit or fashion. Reproducing sacred items for frivolity.

After reading about the displaced soap masters, I want to make a soap inspired by the Aleppo process. I need more experience with hot processing soap to follow the traditional long cook method, but I want to hot process the soap to control which oils comprise the superfat. Fully saponify the olive oil, then add the laurel berry oil and saponify some of it.

Then comes the actual recipe – the challenge with traditional soap recipes is that the saponification factor of ash varies. Buying sodium hydroxide yields a consistent product useful in recipes with precise measurements. Ghar soap recipes have percentages of olive oil to laurel berry oil, but more or less call for enough ash. I’m debating between five and ten percent superfat. Five percent seems fairly standard for soap recipes, so I’m leaning in that direction. But I wanted to continue researching authentic recipes before finalizing my ingredients.

Butterfly Garden

Avatar
by Lisa

We have a small pond in the back yard and a bricked in courtyard in front of the house. I am building butterfly gardens with native plants in both areas. Hopefully we’ll be able to sit in the dining room and watch butterflies hatch.

Here are the plant that I’ve ordered

Common Name Botanical Name Type
Partridge Pea Chamaecrista fasciculata Host and Nectar Plant
Showy Milkweed Asclepias Speciosa Host and Nectar Plant
Western Sand Milkweed Asclepias arenaria Host and Nectar Plant
Wild Petunia Ruellia humilis Host and Nectar Plant
Butterfly Weed Asclepias tuberosa Host Plant
Common Milkweed Asclepias syriaca Host Plant
Whorled Milkweed Asclepias verticillata Host Plant
Blue Sage Salvia Salvia azurea Nectar Plant
Cardinal Flower Lobelia cardinalis Nectar Plant
Iron Weed Vernonia altissima Nectar Plant
Orange Coneflower, Orange Black-eyed Susan Rudbeckia fulgida Nectar Plant
Purple Prairie Clover Dalea purpurea Nectar Plant
Royal Catchfly Silene regia Nectar Plant
Sweet Joe Pye Weed Eupatorium purpureum Nectar Plant
Wild Bergamot, Wild Bee Balm Monarda fistulosa Nectar Plant
Golden Alexanders Zizia aurea Host Plant
Michigan Lily Lilium michiganense Nectar Plant
Rose Milkweed Asclepias incarnata Host and Nectar Plant
Purple Coneflower Echinacea purpurea Nectar Plant
Wild Lupine Lupinus perennis Host Plant
Wild Senna Senna hebecarpa Nectar Plant

Making Soap Molds

Avatar
by Lisa

I want to design and print my own soap molds – special holiday bars or pre-stamped bars. We’re still working on setting up the 3d printer, so haven’t tried anything yet. I have a few downloadable soap mold forms bookmarked (https://www.thingiverse.com/thing:1806226/apps happens to be up in another tab now, but search thingverse for ‘soap mold’ and you will find quite a few).

The trick will be finding an appropriate filament — one that won’t melt at soaping temps (something I need to better understand) but can still be extruded at my printer temp (190-250C). Preferably a not-too-rigid filament with a little bit of flex. That’s trial and error – expensive, too, when buying whole rolls of filament. I found http://globalfsd.com/ (there’s both a US and European site) that sells small quantities of many filiments, and I’ve purchased a bunch that *seem* like they might work.

What I planned to do until I can identify a perfect filament for non-melting and easy to remove soaps is create positive forms on the 3d printer (essentially print what you want a bar of soap to look like) and then google up a procedure for making a silicon mold (uneducated guess is glop some silicon ‘stuff’ onto the positive form to create the negative silicon mold).

For anyone wanting to play with a 3d printer without dropping a couple hundred bucks on it: check your local library. Ones around here are building “maker spaces” with 3d printers, embroidery machines, engraving machines, large format printers, etc. You pay for consumables (i.e. filament in this cae) but gain familiarity with the machines before deciding to invest in one.