Fake Wars!

by Lisa

June 6, 2018

Last week in fake history: just days before the Bowling Green Massacre, Canada invaded Washington DC and razed our federal buildings.

Historical ignorance (and sure it’s scary that Trump is both so ignorant of history AND unwilling to accept counsel), aside — so what if Canada *did* burn down the White House in 1814. Say Canada *were* a country aligned with England, and they participated in the war of 1812 by invading the US and burning DC. How does that make Canada a national security threat TODAY?

Controlling Printer Outlet

by Lisa

June 5, 2018

We normally keep our printer turned off. Residential printer standby can have a decent draw. It’s something you have to research specific to your printer — some have low single-digit standby draw and waste ink when powered on and off. Others, like ours, has a non-trivial standby draw that isn’t offset by ink savings. The problem is that you’ve got to turn the printer on, print your stuff, and then remember to turn it off. The tiny person remote power controller (i.e. Anya) works for this, but it’s not an elegant automated solution.

Scott set up a smart outlet for the printer – you can tell the Echo to turn the printer outlet on and off now. But you still have to remember to turn it off 🙂

So I set up a print queue on the server & all print jobs are submitted to the server-based queue. A scheduled task on the server checks the print queue for jobs and turns the printer on when jobs are found. When the printer is on but no jobs are in the queue, it waits ten minutes and checks again (otherwise you could turn the printer on & have the batch immediately turn it off. Or worse the job could be out of the queue but still printing!), then turns the printer off if there are still no jobs in the queue. Voila, now the printer turns itself on when you want to print something and it remembers to turn itself off later.

The tricky bit was figuring out how to post ‘ON’ and ‘OFF’ to the OpenHAB2 REST API. -Body with just the command:

Invoke-WebRequest -URI ‘http://openhabserver.domain.gTLD:8080/rest/items/Outlet1’ -ContentType “text/plain” -Method POST -Body ‘OFF’

The script is available at https://github.com/ljr55555/miscPowershell/blob/master/printQueueMonitor.ps1

Bigoted Bakers

by Lisa

June 4, 2018

The Supreme Court decision in the Masterpiece Cakeshop case clarifies exactly nothing — maybe the ruling would have stood if the review had not disparaged the baker’s religious beliefs. I’m not sure I’d want a baker who hates me (or something I do) to bake me a cake — too many ways to accidentially ruin a cake. Same with the photographer — why risk accidental overexposure or data loss destroying your wedding photos?

But I can see being offended when someone refuses you service based on your sexual orientation (or religion, or ethnicity, or …). I had a whole host of medical problems — eventually learned that my body does not process sugars/carbohydrates well and simply limiting sugars and simple carbohydrates eliminated most of these problems. But a decade before that discovery, the only thing that sorted amenorrhea and fibromyalgia-like symptoms was hormonal birth control pills. My insurance copay was the same amount regardless of where I purchased medication, so I used a small, privately owned pharmacy in a boutique part of town. Until my state passed a law that permitted pharmacists to refuse to distribute anything that contravened their religious beliefs. Shortly thereafter, I got lectured about my sinful promiscuity instead of picking up my prescription. I’m sure there was some way to get the pills from that pharmacy, but frankly I was insulted and more than a little embarrassed. Not that it was the least bit of their business, but I was absolutely celibate. Just didn’t enjoy being chronically exhausted and in pain. Wasn’t worth arguing about, I transferred my prescription to a chain that wasn’t staffed by people who want to pass judgement on my medical prescriptions.

Thinking back to that embarrassment, I hope these anti-discrimination laws get tested by a case where the local officials don’t editorialize — just state the action violates the law and be done with it.

OUD Returning Some DirectoryString Syntax Values As UTF-8 Encoded Bytes

by Lisa

June 1, 2018

We are still in the process of moving the last few applications from DSEE to OUD 11g so the DSEE 6.3 directory can be decommissioned. Just two to go! But the application, when pointed to the OUD servers, gets “Unable to cast object of type ‘System.Byte[]’ to type ‘System.String'” when retrieving values for a few of our DirectoryString syntax custom schema.

This code snippet works fine with DSEE 6.3.

string strUserGivenName = (String)searchResult.Properties["givenName"][0]; 
string strUserSurame = (String)searchResult.Properties["sn"][0]; 
string strSupervisorFirstName = (String)searchResult.Properties["positionmanagernamefirst"][0]; 
string strSupervisorLastName = (String)searchResult.Properties["positionmanagernamelast"][0];

Direct the connection to the OUD 11g servers, and an error is returned.

The attributes use the same syntax – DirectoryString, OID 1.3.6.1.4.1.1466.115.121.1.15.

00-core.ldif:attributeTypes: ( 2.5.4.41 NAME ‘name’ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} X-ORIGIN ‘RFC 4519’ )
00-core.ldif:attributeTypes: ( 2.5.4.4 NAME ( ‘sn’ ‘surname’ ) SUP name X-ORIGIN ‘RFC 4519’ )
00-core.ldif:attributeTypes: ( 2.5.4.42 NAME ‘givenName’ SUP name X-ORIGIN ‘RFC 4519’ )

99-user.ldif:attributeTypes: ( positionManagerNameMI-oid NAME ‘positionmanagernamemi’ DESC ‘User Defined Attribute’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ‘user defined’ )
99-user.ldif:attributeTypes: ( positionManagerNameFirst-oid NAME ‘positionmanagernamefirst’ DESC ‘User Defined Attribute’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ‘user defined’ )
99-user.ldif:attributeTypes: ( positionManagerNameLast-oid NAME ‘positionmanagernamelast’ DESC ‘User Defined Attribute’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ‘user defined’ )

I’ve put together a quick check to see if the returned value is an array, and if it is then get a string from the decoded byte array.

string strUserGivenName = (String)searchResult.Properties["givenName"][0]; 
string strUserSurame = (String)searchResult.Properties["sn"][0]; 

string strSupervisorFirstName = "";
string strSupervisorLastName = "";
if (searchResult.Properties["positionmanagernamefirst"][0].GetType().IsArray){
    strSupervisorFirstName = System.Text.Encoding.UTF8.GetString((byte[])searchResult.Properties["positionmanagernamefirst"][0]);
}
else{
    strSupervisorFirstName = searchResult.Properties["positionmanagernamefirst"][0].ToString();
}

if (searchResult.Properties["positionmanagernamelast"][0].GetType().IsArray){
    strSupervisorLastName = System.Text.Encoding.UTF8.GetString((byte[])searchResult.Properties["positionmanagernamelast"][0]);
}
else{
    strSupervisorLastName = searchResult.Properties["positionmanagernamelast"][0].ToString();
}

Voila

The outstanding question is if we need to wrap *all* DirectoryString syntax attributes in this check to be safe or if there’s a reason core schema attributes like givenName and sn are being returned as strings whilst our add-on schema attributes have been encoded.

Isolated Guest Network On Merlin 380.69_2 (Asus RT-AC68R)

by Lisa

May 31, 2018

We finally got rid of Time Warner Cable / Spectrum / whatever they want to call themselves this week’s overpriced Internet that includes five free outages between 1100 and 1500 each day. But the firmware on the new ISP’s router doesn’t have a facility to back up the config. And if we’re going to have static IPs for all of our speakers, printers, servers … we don’t want to have to re-enter all of that data if the router config gets reset. Same with configuring the WiFi networks. And, and and. So instead of using the snazzy new router, we are using our old router on .2, the new router on .1 … and everything actually connects to the old router, uses the DHCP server on the old router. And only uses the new router as its default gateway. Worked fine until we tried to turn on the guest network.

I found someone in Internet-land who has the exact same configuration and wants to permit guests to use the LAN printer. His post included some ebtables rules to allow guest network clients access to his printer IP. Swapped his printer IP for our router IP and … nada.

And then I realized that the router is not the packet destination IP when the guest client attempts to communicate outside our network. The router is the destination MAC address. So you cannot add an ebtables rule to the router’s IP address and expect traffic to flow.

The first thing you need to do is figure out the upstream router’s MAC address. From the Asus, you can query the arp table. If the command says “No match found in # entries”, ping the router and try again.

root@ASUS-RT-AC68R:/tmp/home/root# arp -a 10.5.5.1
? (10.5.5.1) at a3:5e:c4:17:a3:c0 [ether] on br0

The six pairs of hex numbers separated by colons – that’s the MAC address. You have to allow bidirectional communication from the guest network interface (wl0.2 for us) with the upstream router’s MAC address. You also have to allow broadcast traffic so guest devices are able to ARP for the router’s MAC address.

To have a persistent config, enable jffs and add the config lines to something like services-start:

root@ASUS-RT-AC68R:/tmp/home/root# cat /jffs/scripts/services-start
#!/bin/sh
logger "SERVICES-START: script start"
# Prevent Echo dots from sending multicast traffic to speaker network
ebtables -I FORWARD -o wl0.1 --protocol IPv4 --ip-source 10.0.0.36 --ip-destination 239.255.255.250 -j DROP
# Guest network - allow broadcast traffic so devices can ARP for router MAC
ebtables -I FORWARD -d Broadcast -j ACCEPT
# Guest network - allow communication to and from router MAC
ebtables -I FORWARD -s a3:5e:c4:17:a3:c0 -j ACCEPT
ebtables -I FORWARD -d a3:5e:c4:17:a3:c0 -j ACCEPT
# This should be automatically added for guest network, but it goes missing sometimes so I am adding it again
ebtables -A FORWARD -o wl0.2 -j DROP
ebtables -A FORWARD -i wl0.2 -j DROP

Use -L to view your ebtables rules:

root@ASUS-RT-AC68R:/tmp/home/root# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 16, policy: ACCEPT
-d a3:5e:c4:17:a3:c0 -j ACCEPT
-s a3:5e:c4:17:a3:c0 -j ACCEPT
-d Broadcast -j ACCEPT
-p IPv4 -o wl0.1 --ip-src 10.0.0.36 --ip-dst 239.255.255.250 -j DROP
-o wl0.2 -j DROP
-i wl0.2 -j DROP

Voila, guests who can access the Internet & DNS on the .1 router, but cannot access anything on the internal network. Of course you can add some specific IPs as allowed destinations too – like the printers in the example that started me down this path.

Playground Time

by Lisa

May 27, 2018

One of my proudest parenting moments this past year wasn’t even something I taught Anya. She was in pre-school, and there was always a group of people that would hang out after pick-up and play on the little playground. The kids … parallel play” is the technical term for it — little kids don’t really *play together*. They do their own thing in close physical proximity to another kid. A few bigger/older/more outgoing kids would run around the yard, while the younger/smaller/shyer kids would more or less hide. Anya was younger/smaller/shyer — which made after-school play time not a lot of fun. So I’d play with all of the kids — coordinate an activity so all of the kids were on the same task. Be the ‘finder’ in a game of hide and seek, have two dozen little kids chase me around. Sometimes I’d even have a little physics lesson — there are lots of cool real-life physics things in a playground — kinetic v/s static friction trying to walk up a slide, levers at the seesaw, momentum on a swing. Or math — the kids would pick the number I would count to in hide-and-seek, and sometimes someone would get goofy with it. Count to a million — OK, 100k, 200k, 300k, etc. Count to zero! OK, -10, -9, -8, etc. Once they got started, and after the kids got worn out some, they’d usually start playing together in smaller groups; and I had some time to chat with the other parents.

One day, I had to work during pickup time. My husband ran over to the school, picked up our daughter, and took her into the playground to hang out with her friends. In my absence, one of the other moms took my role and kicked off a game of hide and seek. Other people valued having their kids play together — a couple people told me that they’d started leading group playtime at other parks when they’re out.

I hope a few of these playtime hours are great memories for Anya when she’s older.

Show Respect

by Lisa

May 23, 2018

All NFL Players ‘Shall Stand And Show Respect’ For Flag And Anthem – Wow! I wish I was an avid football viewer so *not* watching football would be a state change. Hopefully being permitted to stay in the locker room enables players to make their point. If two guys on a team of, what, fifty people aren’t on the sideline you’d never notice. Half only emerge once the anthem is over? That makes a statement too. And someone’s camera would end up in the locker room to cover the protest. Any takers on how long it is before players aren’t permitted to stay off the field after that protest makes news?

‘Show respect’ is a ill defined term too. I assume this is so you don’t have guys standing backwards, but how is hanging back in the locker room playing candy crush *more* respectful than kneeling during the anthem? And for the guys on the field, some dude who was kneeling last season is a little slouchy in his stance, the team still gets fined to avoid a presidential tantrum?

The whole idea of being forced to stand for the anthem seems anathema to the ideals of our country, even if the long history of private employment shows we can be forced into just about anything if we want to continue receiving a pay cheque. The same could be said for being forced to stand and pledge allegiance to the country 180 days a year for thirteen years. Or more – I was rather dismayed to learn that my daughter’s preschool class was taught the pledge of allegiance so they could recite it at their graduation ceremony. Now I’ve got a bit of an Anabaptist philosophy – I don’t much see the point in having someone repeat words or go through a ceremony without *understanding* what they are doing. I avoided children’s clothing with words on it – overkill, yeah, but a six month old baby doesn’t *mean* to say “I just did 9 months on the inside”, “Grandma’s Drinking Buddy”, or make a boob joke, no matter how many people find the messages cute or silly. Until she knew and understood what the shirt said, she got shirts with pictures. Or patterns. Or plain colours. So I asked my kid if the teacher explained what allegiance *is*, or even explained any of the historic principals of the United States. Of course not; they were just given words to recite. Now we’ve had some discussion of the country’s principals and failings – she votes with me two times a year (primaries and general, this is not some admission of voter fraud), we’ve discussed how to affect local, state, and federal laws (and the diminishing influence an individual has as you move from local to state to federal government). But the principals of the Republic for which the flag stands is pretty abstract to convey to a preschooler. And pledging allegiance to a flag? The essence of a nation is not bound up in its cloth banner.

Forced recitations of pledges and vows do nothing to impart knowledge, develop skills, or promote good citizenship. As an intimidation technique, forced declaration of faith and loyalty are not new, although they are generally the hallmark of an insecure society. People do not become more patriotic through such declarations, but being subject to coercion can have the opposite effect.

On Proceedure

by Lisa

May 20, 2018

A little more than a year ago, Trump somehow thought that associates being the subject of a judicially approved wiretap somehow exonerated him. This week, the fact the FBI had sufficient evidence that his campaign received and possibly sought the aid of foreign governments to place an informant in the campaign organization is meant to show how the whole investigation is FAKE NEWS. And, hell, for all we know someone who worked for the campaign heard about these meetings and reached out to the FBI to report it.

And he compares an FBI informant in his campaign to Watergate — where burglars broke into the DNC HQ office, installed listening devices in the phones, and then broke in again. Difference is *burglars* broke into the office and planted devices to intercept conversations (and broke in again to ‘repair’ their initial work). When the FBI uses informants, on the other hand, “special care is taken to carefully evaluate and closely supervise their use so the rights of individuals under investigation are not infringed. The FBI can only use informants consistent with specific guidelines issued by the attorney general that control the use of informants”. Which makes Trump’s claim another bit of ‘deep state’ paranoia.

It’s not unreasonable to conclude that evidence of the campaign’s interaction with foreign powers was discovered and prompted the investigation. Have the DoJ look into it and verify the FBI followed their internal policy, although that’s a bit of a stretch. Given the number of meetings with representatives of foreign governments the campaign took looking for campaign assistance, Trump’s assertion is a bit like a meth cook saying the whole system is corrupt as evidenced by the search warrant for his lab being signed off on by a judge.

The strangest bit of the whole assertion is that a deep state conspiracy to undermine Trump’s campaign would have been far more effective if it were announced prior to the election. After the fact, it’s pretty ineffective. Best case for an after-the-fact investigation is they manage to impede the process of governing until the next election cycle. The day before the last debate, publicize (or leak) news of this investigation? A day or two before the election?

It’ll convince the 30% who are out to prove Trump right on one matter — he could shoot someone on 5th Ave and still have their support.

The Horrors!

by Lisa

May 16, 2018

The TL;DR summary of the Trump Tower meeting, by way of the Senate Committee testimony, seems to be “we wanted dirt on our opponent to help win the election, and were right eager to accept said help from Russia but this meeting failed to provide what we wanted to procure”. Which, as far as defenses go … not a great one.

While one is not meant to consider the ramification of a legal decision, Trump Jr’s testimony brings to mind prostitution sting operations. I would love to see the defendant claiming that they had not in fact engaged in an illegal activity. Sure they wanted to exchange money for sex. The sex was never provided; ipso facto the law was not broken. Case dismissed! Sorry to inconvenience you, upstanding citizen.

DSEE 6.3 To OUD 11g Transition

by Lisa

May 14, 2018

There’s no direct path to replicate data from DSEE6.3 to OUD11g. Not unreasonable since DSEE is the Sun product based on the Netscape Directory Server and OUD is the Oracle product based on OpenLDAP – they weren’t exactly designed to allow easy coexistence that would permit customers to switch from one to the other. Problem is, with Oracle’s acquisition of Sun & axing the DSEE product line … customers *need* to interoperate or do a flash cut.

Since our Identity Management (IDM) platform was not able to prep development work and implement their changes along with the directory replacement, a flash cut was right out. I’ve done flash cuts before — essentially ran two completely different directories in parallel with data fed from the Identity Management platform, tested against the new directory using quick modification to the OS hosts file, then reconfiguring the virtual IP on the load balancer to direct the existing VIP to the new service hosts. Quick/easy fail-back is to set the VIP to the old config and sort out whatever is wrong on the new hosts. A lot lower risk than a traditional ‘flash cut’ approach as long as you trust the IDM system to keep data in sync. But lacking an IDM system, flash cut is typically a non-starter anyway.

There is a migration path. Oracle put some development effort into the DSEE product line prior to discontinuing it. DSEE7 was the Sun distributed “next version”. It was not widely deployed prior to the Oracle acquisition. Oracle took over DSEE7 development but called it DSEE11 (to match the OUD version numbering, I guess?). Regardless of the rational, you’ll see the “next version” DSEE product referred to as both DSEE7 and DSEE11.

There’s not a direct replication between Oracle DSEE11 and Oracle OUD11. Oracle created a “replication gateway” that handles, among other things, schema name mapping (only Netscape would use attribute names like nsAccountLockout, and that nomenclature carried through to the Sun product). Oracle did a decent job of testing DSEE11<=>OUD11 Replication Gateway interoperability. I don’t know if they just assumed DSEE6 would work because DSEE11 did or if they assumed the installation base for DSEE6 was negligible (i.e. didn’t bother to test older revisions) but we found massive bugs in the replication gateway working with DSEE6. “You cannot import the data to initialize the OUD11 directory” type of bugs which I was willing to work around by manually editing the export file, but subsequent “updates do not get from point ‘A’ to point ‘B’ bugs too. The answer from Oracle was essentially “upgrade to DSEE11” … which, if i could flash-cut upgrade DSEE6 to DSEE11 (see: IDM platform couldn’t do that), I could just cut it to OUD11 and be done. Any non-trivial change was a non-starter, but Oracle wasn’t going to dump a bunch of development time into fixing replication for a dead product to their shiny new thing.

I worked out a path that used tested and working components — DSEE6 replicated just fine with DSEE11. DSEE11 replicated just fine with the OUD11g replication gateway, and the OUD11g replication gateway replicated fine with OUD11g. Instead of introducing additional expense and time setting up dedicated replication translation servers, I installed multiple components on the new servers. There is a DSEE11 directory on one of the new OUD servers, the replication gateway on another one of the new OUD servers, and (of course) the OUD11g directory that we actually intended to run on the new servers is on those new OUD servers.

This creates additional monitoring overhead – watching replication between three different directories and ensuring all of the services are running – but allows the IDM platform to continue writing changes to the DSEE6.3 directory until they are able to develop and test changes that allow them to use OUD11g directly.