The Story Within The Story

Avatar
by Lisa

There have been a lot of instances in the past few months where a story about Trump contains a throw-away line that seems more important than the story being conveyed. Not reading EOs in a NYTimes piece not long after the inauguration, for instance.

Today’s reporting on Paul Manafort seems to be following this trend. The guy had a multi-million dollar contract with Oleg Deripaska … who is, in turn, a friend/ally of Putin. There’s a lot of focus on the money involved, the farther involvement of Trump associates with Russians, and the speeches and policy changes that were made pre-convention last year. But the scope of the work seems to be overlooked. He provided strategies on how to advance Russian interests around the world and undermine Putin’s political rivals. Which sounds a lot like advancing Russia’s interests by undermining rivals … or hacking the DNC and releasing information that negatively reflects on Clinton. And releasing more when she still looked to be leading in the weeks prior to the election.

The campaign chair potentially came up with the strategy that may or may not have involved collusion from Trump’s team. Even if they’re a bunch of stooges … the fact that the chap who consulted on the policy in the first place then took a high-level position with the campaign looks REALLY bad.

Coverage does not equal access

Avatar
by Lisa

Coverage does not equal access — this political quip used to argue against the ACA is indeed true. Not sure why the answer is not that *no* coverage pretty well ensures no access.

It was a little silly to say that no one would need to change plans or doctors with the new law. Each new annual enrollment period at work, we have different plans and, yeah, I have to change plans even though I liked the one five years ago that had WAY lower deductables, lower out of pocket expenses, and lower cost to purchase. It isn’t available. I remember my mom changing doctors a number of times in the 80’s because her doctor no longer accepted whatever insurance she had at the time. Why one would claim the ACA would change facts that have been true as long as insurance has been about is beyond me. But the claim was made, so it’s a point of criticism for the law.

I guess the implication is that the AHCA will provide both coverage and access. I’ve read the bill … and not heard anyone explain how the changes even provide coverage let alone access. I guess if fewer people can afford coverage, the lucky ones who can don’t compete for appointments anymore. But that’s hardly a selling point for a bill — a bit like saying we’ve increased selection at the grocery store by making sure 18% of your neighbors can no longer afford food.

There’s a balance in the ACA that I don’t really like. But I *understand* that if we are going with the insurance model of health care and don’t want insurance companies to refuse to cover pre-existing conditions, we’ve got to ensure they’ve got customers who aren’t sick. In this light, the proposed changes to the AHCA allowing states make up their own list of essential services makes a bad bill even worse. I’d be able to have “continuing” coverage (and thus not be someone who could be charged a surcharge from an insurance company) by buying the cheapest policy available that covers only sprained left wrists. Then when I *actually* get sick, buy a good insurance policy that covers actual medical care.

Read Your Constitution

Avatar
by Lisa

I hear a few people hopefully speaking of impeachment as the FBI investigates Trump and his campaign for possible collusion with Russia during the 2016 election. Does anyone seriously think impeachment would nullify the election?! So Trump gets impeached. Now we have Pence. Trump minus the populist bits (infrastructure funding, trade protectionism) but with a heaping side of religious zealotry. I don’t care if the dude would personally never be alone in the same room with a woman other than his wife. People have all sorts of out-there principals that they uphold; so long as they don’t expect *me* to follow their dictate … who cares. But legislation banning sex ed, restricting access to birth control, bring back the sodomy laws – homosexual marriage isn’t illegal (so saith the Supreme Court) but so doing will meet the evidentiary requirements for a surveillance warrant at your local PD. Hell, even if you lived in a local and state jurisdiction where they just fail to investigate (and, don’t worry, the feds will threaten to withhold money from these ‘sanctuary cities’ too) … watch out where you vacation. Scrutinize your connecting flights. Hope there isn’t an emergency landing. Point being, Pence isn’t actually better. He has discipline and knowledge of government. He has a shot of getting pet legislation through Congress.

Maybe they’re hoping that Pence goes down with the ship too – great, now we’ve got Ryan. May be a win on the legislating fundamentalist Christian morality front, but we’ve seen his health care plan seven years in the making. Anyone seriously think his tax plan, regulatory plan … are going to be any better.

Then we’ve got Hatch – might be an improvement. Tillerson: government run by what’s best for oil companies! Of course next in line is Mnuchin: government run by what is best for mega-banks. Eventually one of these people will stick around – several were not involved in Trump’s campaign.

Windows 10 Tablet Mode

Avatar
by Lisa

Now I know the *right* answer is “don’t let your four year old randomly click stuff on your computer” … which is an extension of “don’t let your cat walk/sleep on your keyboard” (a maxim I could never convince my mom was a good rule for computer usage). But I booted my Windows 10 computer to find I no longer had a desktop. I’ve got some theme-colored background with a couple of icons. I can go to all apps. I can get into settings and all sorts of things.

Not a Windows desktop:

And I didn’t even know what this thing was called to Google how to get rid of it. A bunch of random clicking later, and I’ve discovered Windows 10 has a “tablet mode”. Which was turned on – and just like I could never figure out how a sleeping cat managed to hit the three-key command required to rotate an Intel graphics card display by 90º, I have no clue how Anya’s gotten into this particular mode. Luckily it’s easy to undo (click it to turn it off); voila, I’ve got a desktop again.

Alternative Fact: Incidental Intercept

Avatar
by Lisa

Alternative Fact: The Obama administration has “wiretapped” (now in quotes, which evidently means intercepted some type of communication using any number of means) Trump. Or his associates.

Real Fact: If an investigative agency has legitimate orders permitting them to intercept communications of a specific individual or location and they happen to pick you up because you are communicating with that individual or location, *you* are not being spied on.

The Russian Ambassador in DC was being spied on – but I’m sure Kislyak knew that a decade or so before when he took the role so this isn’t exactly earth shattering news as much as “standard operating procedure”. If it makes you feel better, I’m sure the Russians surveil Spaso House. And anyone who happens to ring that number gets their communication intercepted too. Hell, I would bet that Ambassadors.

If you really want to think about it, all sorts of people are probably picked up in incidental intercepts. Why is that? Start reading the actual laws that supposedly allow surveiling foreigners without impugning the rights of American citizens. And how poorly those protections actually protect our rights. Actually read the Foreign Intelligence Surveillance Act. Too long, at least read up on Section 702 surveillance. In a bit of extra irony, it was Nunes who was called out for misrepresenting the risk of ‘backdoor’ searches where American citizens have communications intercepted under these “save us all from the terrorists” laws. Before getting a warrant for *you* specifically (well, provided you’re doing something dodgy), I’m certain law enforcement queries their database of collected information to see if they’ve already got something on you. So basically Nunes is sure the existing laws protect us, ordinary citizens … but the exact same laws were horribly abused to spy on Trump. Basically it’s fine for everyone else, but this law shouldn’t apply to ME.

 

From Russia, With Love

Avatar
by Lisa

The more I hear about Flynn communicating with Ambassador Kislyak, the stranger it seems. Why the subterfuge? Surely the Russians knew Trump won the election, and they knew when he took power. Even if they didn’t think Trump would remove any sanctions put in place (why object to something you know is going to be rescinded in a few weeks?), the strategic move would be to wait for an inexperienced administration before taking any retaliatory action. There was absolutely no reason to tell the Russians “hey, don’t worry about the sanctions being put in place by the current administration. we’ll get you sorted in January”.

Learning From History

Avatar
by Lisa

It is not yet hurricane season, but there are other sorts of natural disasters that aren’t so predictable. And there is not a director of FEMA. Some directors have a great deal of experience in disaster management, and some (GW’s guy who couldn’t manage to run the Arabian Horse Association) are sweet jobs given to friends or political supporters. After FEMA’s performance during Katrina, I expected the office to become the exclusive domain of people with disaster management experience. Folks from the Red Cross, or National Guards, or disaster response agencies from states prone to disasters. For some time, that expectation was realized.

Then came Trump. Like many facets of government where Republicans think government is just wasting money or causing problems … well, he hasn’t even managed to nominate a political hack to serve as the agency head. There’s no one. I have a lot of experience in M&A – any time your department doesn’t get a manager in the new org, update your resume. Your functionality is not going to be around much longer. Because, like we don’t actually ‘need’ the DOE (an agency that keeps track of nuclear materials and intercepts it on the black market) … evidently we don’t need FEMA??

Book “Guitars”

Avatar
by Lisa

I’ve been trying to play some more teaching games with Anya. Today’s activity was building our own guitar-like instrument. A small box with a hole cut in it would work well, but we used a couple of her board books. Stretch a few rubber bands around the book (I’m a little uptight, so I put them in a specific tonal order … hers are a haphazard arrangement), then insert something under the bands along the book to raise the bands up a little bit from the book. A wooden block, a marker, and a glowstick all worked well. If you put the object toward the center of the rubber bands, then you get two different notes per band.

LAPS For Local Computer Administrator Passwords

Avatar
by Lisa

Overview

LAPS is Microsoft’s solution to a long-existing problem within a corporation using Windows computers: when you image computers, all of the local administrator passwords are the same. Now some organizations implemented a process to routinely change that password, but someone who is able to compromise the local administrator password on one box basically owns all of the other imaged workstations until the next password change.

Because your computer’s local administrator password is the same as everyone else’s, IT support cannot just give you a local password to access your box when it is malfunctioning. This means remote employees with incorrect system settings end up driving into an office just to allow an IT person to log into the box.

With LAPS, there is no longer one ring to rule them all – LAPS allows us to maintain unique local administrator passwords on domain member computers. A user can be provided their local administrator password without allowing access to all of the other domain-member PCs (or a compromised password one one box lets the attacker own only that box). A compromised box is still a problem, but access to other boxes within the domain would only be possible by retrieving other credentials stored on the device.

Considerations

Security: The end user is prevented from accessing the password or interacting with the process. The computer account manages the password, not the user (per section 4 LAPS_TechnicalSpecification.docx from https://www.microsoft.com/en-us/download/details.aspx?id=46899).

Within the directory, read access is insufficient (per https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad/) to view the attribute values. In my proposed deployment, users (even those who will be retrieving the password legitimately) will use a web interface, so a single service acct will have read access to the confidential ms-Mcs-AdmPwd attribute and write access to ms-Mcs-AdminPwdExpirationTime. There are already powershell scripts published to search an improperly secured directory and dump a list of computer names & local administrator passwords. You should run Find-AdmPwdExtendedrights -identity :<OU FQDN> to determine who has the ability to read the password values to avoid this really embarrassing oversight.

Should anyone have access to read the ms-Mcs-AdmPwd value beyond the service account? If the web interface goes down for some reason, is obtaining the local administrator password sufficiently important that, for example, help desk management should be able to see the password through the MS provided client? Depends on the use cases, but I’m guessing yes (if for no other reason than the top level AD admins will have access and will probably get rung up to find the password if the site goes down).

In the AD permissions, watch who has write permission to ms-Mcs-AdminPwdExpirationTime as write access allows someone to bump out the expiry date for the local admin password. Are we paranoid enough to run a filter for expiry > GPO interval? Or does setting “not not allow password expiration time longer than required by policy” to Enabled sufficently mitigate the issue? To me, it does … but the answer really depends on how confidential the data on these computers happens to be.

With read access to ms-Mcs-AdmPwdExpirationTime, you can ascertain which computers are using LAPS to manage the local administrator password (a future value is set in the attribute) and which are not (a null or past value). Is that a significant enough security risk to worry about mitigating? An attacker may try to limit their attacks to computers that do not use LAPS to manage the local admin password. They can also ascertain how long the current password will be valid.

How do you gain access to the box if the local admin password stored in AD does not work (for whatever reason)? I don’t think you’re worse off than you would be today – someone might give you the local desktop password, someone might make you drive into the office … but bears considering if we’ve created a scenario where someone might have a bigger problem than under the current setup.

Does this interact at all with workplace join computers? My guess is no, but haven’t found anything specific about how workplace joined computers interact with corporate GPOs.

Server Side

Potential AD load – depends on expiry interval. Not huge, but non-zero.

Schema extension needs to be loaded. Remove extended rights from attribute for everyone who has it. Add computer self rights. Add control access for web service acct – some individuals too as backup in case web server is down??

Does a report on almost expired passwords and notify someone have value?

Client Side

Someone else figures this out, not my deal-e-o. Set GPO for test machines, make sure value populates, test logon to machine with password from AD. Provide mechanism to force update of local admin password on specific machine (i.e. if I ring in and get the local admin password today, it should get changed to a new password in some short delta time).

Admin Interface

Web interface, provide computer name & get password. Log who made request & what computer name. If more than X requests made per user in a (delta time), send e-mail alert to admin user just in case it is suspicious activity. If more than Y requests made per user in a (longer delta time), send e-mail alert to admin user manager.

Additionally we need a function to clear the password expiry (force the machine to set a new password) to be used after local password is given to an end user.

User Interface

Can we map user to computer name and give the user a process to recover password without calling HD? Or have the manager log in & be able to pull local administrator for their directs? Or some other way to go about actually reducing call volume.

Future Considerations

Excluding ms-Mcs-AdmPwd  from repl to RODC – really no point to it being there.

Do we get this hooked up for acquired company domains too, or do they wait until they get in the WIN domain?

Does this facilitate new machine deployment to remote users? If you get a newly imaged machine & know its name, get the local admin password, log in, VPN in … can you do a run-as to get your creds cached? Or do a change user and still have the VPN session running so you can change to a domain user account?

LAPS For Servers: Should this be done on servers too? Web site could restrict who could view desktops v/s who could view servers … but it would save time/effort when someone leaves the group/company there too. Could even have non-TSG folks who would be able to get access to specific boxes – no idea if that’s something Michael would want, but same idea as the desktop side where now I wouldn’t give someone the password ‘cause it’s the password for thousands of other computers … may be people they wouldn’t want having local admin on any WIN box they maintain … but having local admin on the four boxes that run their app … maybe that’s a bonus. If it is deployed to servers, make sure they don’t put it on DCs (unless you want to use LAPS to manage the domain administrator password … which is an interesting consideration but has so many potential problems I don’t want to think about it right now especially since you’d have to find which DC updated the password most recently).

LAPS For VDI: Should this be done on VDI workstations? Even though it’s a easier to set the password on VDI the base VDI images than each individual workstation, it’s still manual effort & provides an attack vector for all of the *other* VDI sessions. Persistent sessions are OK without any thought because functionally no different than workstations. Non-persistent with new name each time are OK too – although I suspect you end up with a BUNCH of machine objects in AD that need to be cleaned up as new machine names come online. Maybe VDI sorts this … but the LAPS ‘stuff’ is functionally no different than bringing a whole bunch of new workstations online all the time.

Non-persistent sessions with same computer name … since the password update interval probably won’t have elapsed, the in-image password will be used. Can implement an on-boot script that clears AdmPwdExpirationTime to force change. Or a script to clear value on system shutdown (but that would need to handle non-clean shutdowns). That would require some testing.

 

Testing Process

We can have a full proof of concept type test by loading schema into test active directory (verify no adverse impact is seen) and having a workstation joined to the test domain. We could provide a quick web site where you input a computer name & get back a password (basically lacking the security-related controls where # of requests generate some action). This would allow testing of the password on the local machine. Would also allow testing of force-updating the local admin password.

Once we determine that this is worth the effort, web site would need to be flushed out (DB created for audit tracking). Schema and rights would need to be set up in AD. Then it’s pretty much on the desktop / GPO side. I’d recommend setting the GPO for a small number of test workstations first … but that’s what they do for pretty much any GPO change so not exactly ground breaking.

Self Driving Cars (or Market Driven Algorithms)

Avatar
by Lisa

I don’t see much of a future for self-driving passenger vehicles. There are two non-tenable options for crash avoidance algorithms. Either the algorithm prioritizes my life and property (which means it would kill someone else to save my life … good for me, bad for society) or it won’t (great for society, but am I going to pay money for a car that will literally kill me to save someone else?). Does the computer assisted human driving model suffer this flaw? An algorithm that engages the brakes any time there is an obstacle within X feet fails to consider the vehicle that is about to slam into the side of your car if you don’t move it into the shrubbery ahead of you.

Self-driving unoccupied vehicles can simply de-prioritize itself (and the owner needs to accept that financial risk). We may see driving as a service (DaaS?) where a real human is responsible for making these split-second decisions. But allowing people to achieve the metro experience in their own vehicle (i.e. you sit and work for half an hour whilst your conveyance delivers you to your destination) is probably not going to happen.