I’m making a rainbow mane and tail for Anya’s unicorn custom. To make the mane, I took a piece of cardboard twice as long as I want the mane to be. Folded it in half and laid a piece of white ribbon over the fold (clipped it in place at first). And then wrapped yarn around the thing. A lot of yarn đ
Once the yarn was wrapped in the order she wanted, hand-stitched the yarn to the ribbon. After the yarn was attached, I cut the bottom. Stitching the ribbon onto the fur hood, we’ve got a mane.
Anya wants to be a unicorn for Halloween this year — I got some awesome white “fur” and made a shirt and pants from the same patterns I used for her lion costume last year. I just need a different headpiece and tail. I think I’m going to use the hood from a poncho pattern that I’ve got. Attach a mane, some ears, and a horn … voila, a unicorn.
To make the ears, I cut a basic form from comic book board (half-back … what I use to wrap and store my fabric pieces), glued a piece of pink satin to each piece of cardboard, and then wrapped the back with a cut of furry fabric. The fur is glued onto the pink satin. Lots of clips to hold the thing in place while the glue set …
Run:
journalctl -o short-iso-precise
Results:
2018-09-19T23:30:11.651010-0400 linux05.domain.ccTLD process[PID]: Log message here.
The graphical interface on a Fedora 28 laptop was unavailable — buggered up video device/driver. Change to what used to be called run level 3, and we could not log in! We know the root password, but it would not take it. Single user is password protected too — and we were unable to log in there.
Normal recovery process:
Get to the grub menu, highlight the kernel you want to boot, and hit ‘e’ to edit it. Scroll down. On line that starts with linux16, change “rhgb quiet” to say “rd.break enforcing=0”
ctrl-x to boot
Once you get a shell:
mount -o remount,rw /sysroot
chroot /sysroot
Voila, you’ve got access to your files. Use vi to edit whatever has the box seriously screwed up (passwd if your problem is that you don’t know the root password) and you’re set. We reset the root password just in case. Aaaand … we still couldn’t log in on init 1 or init 3! And at this point I was feeling stubborn about getting logged into the box.
Now you can tweak up the system so it is not using sulogin when booting into single user mode but that isn’t a good way to install network-sourced packages. For some reason, we had to disable selinux before we could log into anything other than the graphical target. I’m sure there is a policy we could have tweaked, but it was far easier to disable the thing, boot into the multi-user target, sort the video driver, and then boot into the graphical target.
A few years ago, I implemented a custom password filter in Active Directory. At some point, it began accepting passwords that should be rejected. The updated code is available at https://github.com/ljr55555/OpenPasswordFilter and the following is the approach I used to isolate the cause of the failure.
Technique #1 — Netcap on the loopback There are utilities that allow you to capture network traffic across the loopback interface. This is helpful in isolating problems in the service binary or inter-process communication. I used RawCap because it’s free for commercial use. There are other approaches too – or consult the search engine of your choice.
The capture file can be opened in Wireshark. The communication is done in clear text (which is why I bound the service to localhost), so youâll see the password:
And response
To ensure process integrity, the full communication is for the client to send âtest\nâ then âPasswordToTest\nâ, after which the server sends back either true or false.
Technique #2 — Debuggers Attaching a debugger to lsass.exe is not fun. Use a remote debugger — until you tell the debugger to proceed, the OS is pretty much useless. And if the OS is waiting on you to click something running locally, you are quite out of luck. A remote debugger allows you to use a functional operating system to tell the debugger to proceed, at which time the system being debugged returns to service.
Install the SDK debugging utilities on your domain controller and another box. Which SDK debugging tool? Thatâs going to depend on your OS. For Windows 10 and Windows Server 2012 R2, the Windows 10 SDK (Debugging Tools For Windows 10) work. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools or Google it.
On the domain controller, find the PID of LSASS and write it down (472 in my example). Check the IP address of the domain controller (10.104.164.110 in my example).
From the domain controller, run:
dbgsrv.exe -t tcp:port=11235,password=s0m3passw0rd
Where port=11235 can be any un-used port and password=s0m3passw0rd can be whatever string you want ⌠youâve just got to use the same values when you connect from the client. Hit enter and youâve got a debugging server. It wonât look like it did anything, but youâll see the port bound on netstat
And the binary running in taskman
From the other box, run the following command (substituting the correct server IP, port, password, and process ID):
windbg.exe -y “srv:c:\symbols_pub*http://msdl.microsoft.com/downloads/symbols” -premote tcp:server=10.104.164.110,port=11235,password=s0m3passw0rd -p 472
This attaches your WinDBG to the debugging server & includes an internet-hosted symbol path. Donât worry when it says âDebugee not connectedâ at the bottom â that just means the connection has not completed. If it didnât connect at all (firewall, bad port number, bad password), youâd get a pop-up error indicating that the initial connection failed.
Wait for it … this may take a long time to load up, during which time your DC is vegged. But eventually, you’ll be connected. Donât try to use the DC yet â it will just seem hung, and trying to get things working just make it worse. Once the debugger is connected, send ‘g’ to the debugger to commence â and now the DC is working again.
Down at the bottom of the command window, thereâs a status (0:035> below) followed by a field where you enter commands. Type the letter g in there & hit enter.
The status will then say âDebuggee is running âŚâ and youâre server is again responsive to user requests.
When you reach a failing test, pause the debugger with a break command (Debug=>Break, or Ctrl-Break) which will veg out the DC again. You can view the call stack, memory, etc.
To search the address space for an ASCII string use:
!for_each_module s -[1]a ${@#Base} L?${@#Size}Â "bobbob"
Where âbobbobâ is the password I had tested.
Alternately, run the âpsychodebugâ build where LARGEADDRESSAWARE is set to NO and you can search just the low 2-gig memory space (32-bit process memory space):
s -a 0 L?80000000 "bobbob"
* The true/false server response is an ASCII string, not a Boolean. *
Once you have found what you are looking for, âgoâ the debugger (F5, Debug=>Go, or  âgâ) to restore the server to an operational state. Break again when you want to look at something.
To disconnect, break and send âqdâ to the debugger (quit and detach). If you do not detach with qd, the process being debugged terminates. Having lsass.exe terminate really freaks out the server, and it will go into an auto-recovery âIâm going to reboot in one minuteâ mode. Itâll come back, but detaching without terminating the process is a lot nicer.
Technique #3 â Compile a verbose version. I added a number of event log writes within the DLL (obviously, it’s not a good idea in production to log out candidate passwords in clear text!). While using the debugger will get you there eventually, half an hour worth of searching for each event (the timing is tricky so the failed event is still in memory when you break the debugger) ⌠having each iteration write what it was doing to the event log was FAAAAAR simpler.
And since Iâm running this on a dev DC where the passwords coming across are all generated from a load sim script ⌠not exactly super-secret stuff hitting the event log.
Right now, Iâve got an incredibly verbose DLL on APP556 under d:\tempcsg\ljr\2\debugbuild\psychodebug\ ⌠all of the commented out event log writes from https://github.com/ljr55555/OpenPasswordFilter arenât commented out.
Stop the OpenPasswordFilter service, put the verbose DLL and executables in place, and reboot. Change some passwords, then look in the event viewer.
ERROR events are actual problems that would show up either way. INFORMATION events are extras. I havenât bothered to learn how to properly register event sources in Windows yet đ You can find the error content at the bottom of the “this isn’t registered” complaint:
You will see events for the following steps:
DLL starting CreateSocket
About to test password 123paetec123-Dictionary-1-2
Finished sendall function to test password123paetec123-Dictionary-1-2
Got t on test of paetec123-Dictionary-1-2
The final line will either say âGot tâ for true or âGot fâ for false.
Technique #4 â Running the code through the debugger. Whilst thereâs no good way to get the âNotification Packageâ hook to run the DLL through the debugger, you can install Visual Studio on a dev domain controller and execute the service binary through the debugger. This allows you to set breakpoints and watch variable values as the program executes â which makes it a whole lot easier than using WinDBG to debug the production code.
Grab a copy of the source code â weâre going to be making some changes that should not be promoted to production, so I work on a temporary copy of the project and delete the copy once testing has completed.
Open the project in Visual Studio. Right-click OPFService in the âSolution Explorerâ and select âPropertiesâ
Change the build configuration to âDebugâ
Un-check âOptimize codeâ â code optimization is good for production run, but it will wipe out variable values when you want to see them.
Set a breakpoint on execution â on the OPFDictionary.cs file, the loop checking to see if the proposed word is contained in the banned word list is a good breakpoint. The return statements are another good breakpoint as it pauses program execution right before a password test iteration has completed.
Build the solution (Build=>Build Solution). Stop the Windows OpenPasswordFilter service.
Launch the service binary through the debugger (Debug=>Start Debugging).
Because the program is being run interactively instead of through a service, youâll get a command window that says âPress any key to stop the programâ. Minimize this.
From a new command prompt, telnet to localhost on port 5995 (the telnet client is not installed by default, so you may need to use âTurn Windows features on or offâ and enable the telnet client first).
Once the connection is established, use CTRL and ] to get into the telnet command prompt. Type set localecho ⌠now youâll be able to see what you are typing.
Hit enter again and youâll return to the blank window that is your telnet client. Type test and hit enter. Then type a candidate password and hit enter.
Program execution will pause at the breakpoint youâve set. Return to Visual Studio. Select Debug =>Window=>Locals to open a view of the variable values
View the locals at the breakpoint, then hit F5 if you want to continue.
If youâre set breakpoints on either of the return statements, program execution will also pause before the return ⌠which gives you an opportunity to see which return is being used & compare the variable values again.
In this case, I submitted a password that was in the banned word list, so the program rightly evaluated line 56 to true and returns true.
There are all sorts of reasons you need to provide your e-mail address to random Internet strangers â purchasing products, registering for a conference, signing up for a newsletter. Unfortunately, disseminating your address across the internet can lead to an inundation of unwanted email.
In addition to spam filters to filter out unwanted mail, Exchange Online supports âsub-addressingâ. A sub-address is a slightly modified version your e-mail address that can customize your address for every situation â just before the â@â symbol in your e-mail address, put a plus and then some unique text. It will look like Your.N.Ame+SomeIdentifier@company.ccTLD instead of Your.N.Ame@company.ccTLD.
When signing up for a Microsoft newsletter, I can tell them my e-mail address is Lisa.Rushworth+MicrosoftSecuritySlate@company.ccTLD and messages sent to that address will be delivered to my mailbox. When I sign up for the NANPA code administration newsletter, I can tell them my e-mail address is Lisa.Rushworth+NANPACodeAdmin@company.ccTLD.
Should you start receiving unwanted solicitations to the sub-address, you can then create a rule to delete messages sent to that address. You can even exclude messages from the intended sender from the deletion rule â allowing, for example, messages from the NANPA Code Admin newsletter to reach your mailbox whilst blocking anyone else from using the address.
You can also alert the person to whom you provided the address that their contact list may have been compromised.
We occasionally have to re-home our shell scripts, which means updating any static path values used within scripts. It’s quick enough to build a sed script to convert /old/server/path to /new/server/path, but it’s still extra work.
The dirname command works to provide a dynamic path value, provided you use the fully qualified path to run the script … but it fails spectacularly whens someone runs ./scriptFile.sh and you’re trying to use that path in, say, EXTRA_JAVA_OPTS. The “path” is just . — and Java doesn’t have any idea what to do with “-Xbootclasspath/a:./more/path/goes/here.jar”
Voila, realpath gives you the fully qualified file path for /new/server/path/scriptFile.sh, ./scriptFile.sh, or even bash scriptFile.sh … and the dirname of a realpath is the fully qualified path where scriptFile.sh resides:
#!/bin/bash
DIRNAME=`dirname $(realpath "$0")`
echo ${DIRNAME}
Hopefully next time we’ve got to re-home our batch jobs, it will be a simple scp & sed the old crontab content to use the new paths.
Yeah, I know there aren’t actually run levels anymore. The systemd equivalent of running init 3 to boot into console mode is
systemctl isolate multi-user.target
And the equivalent of running init 5 to boot into GUI mode is
systemctl isolate graphical.target
This is a one-time thing, not a config change. If you want to permanently switch to console mode you’d use systemctl set-default multi-user.target
Prerequisites:
You will need the âGitâ plugin (https://plugins.jenkins.io/git).
You will need the âGitHubâ plugin (https://plugins.jenkins.io/github)
Setting Up Access Within GitHub:
Log into GitHub and navigate to your repository. Click the âSettingsâ tab, then select âDeveloper settingsâ from the bottom of the left-hand menu. From the Developer Settings page, select âPersonal access tokensâ.
Click âGenerate new tokenâ to add a token for your Jenkins integration.
Provide a description for the token and select permissions â read access to the repo is sufficient.
Save the token and copy the secret text.
Setting Up Jenkins â Configuring GitHub Integration
On your Jenkins server, select âManage Jenkinsâ
Select âConfigure Systemâ
Scroll down â possibly a lot â to the GitHub section. Click on the âAdd GitHub Serverâ drop-down and select âGitHub Serverâ
Provide a name, the API URL is pre-populated. Next to Credentials, click the drop-down for âAddâ and select âJenkinsâ.
The credential kind is âSecret textâ, and âIDâ is your GitHub user ID. Save the credential
Select cred from drop-down and test
Hopefully the credentials are verified, you are done.
Using Jenkins â Creating A Basic Pipeline:
Click on âNew Itemâ, create a new Freestyle project, and give it a descriptive name.
Since this is a GitHub project, Iâm adding the project URL â thatâs the actual project URL, not the URL for a specific branch or the path to clone the project.
As you scroll down, the tab will change to âSource Code Managementâ. Select âGitâ and enter the URL used to clone the repository. If you have not already added credentials, click âAddâ; otherwise select the appropriate credential from the drop-down menu. If you intend to build a branch other than master, correct the branch name.
Build triggers will depend on what exactly you want to happen. You can trigger new builds based on PRs or push activity. You can schedule a nightly build.
If there are a lot of changes, you may not wish to re-build the project every single time the repo changes. Conversely if the repo rarely changes, nightly builds waste a lot of cycles), etc.
Using the hook trigger requires that your Jenkins server be Internet-accessible and as such has a non-zero risk of malicious access. You can expose your endpoint through a reverse proxy to have more control over service access. I have also experimented with using GitHub provided metadata, https://api.github.com/meta, to restrict access to certain subnets. A potential attacker could still proxy their access by attempting to register your Jenkins endpoint in their GitHub project ⌠but thatâs a narrower attack vector than âanyone who can make a web callâ.
If you want to trigger builds based on changes within the GitHub project, you can configure Jenkins to automatically register webhooks or you can manually add the webhook to your project.
Manual Webhook creation: Within your projectâs âSettingsâ tab, select âWebhooksâ and then âAdd webhookâ.
Automatic Webhook creation: Manage Jenkins => Configure System. In the GitHub section, click the second âAdvancedâ button (with a notepad next to it).
Click the âAdditional Actionsâ drop-down menu and select âConvert login and password to tokenâ
Enter your credentials and click âCreate token credentialsâ
A message will be displayed confirming the credential.
In this case, I will schedule a nightly build of the project. After selecting âBuild periodicallyâ, enter the cron-like expression to control when you want builds to occur. To avoid having a lot of project builds initiated at quarter-hour marks, use the modifier âHâ to indicate a time range. In this example, the build will be triggered some time between 02:00 and 04:59. Since the value of H is a hash of the job name, the build time will be consistent (i.e. the time displayed below the schedule field will be the time used each cycle). This means it is still possible to have a number of builds scheduled simultaneously.
Time, by default, is relative to your Jenkinsâ server JVM configuration. You can override that setting by adding a TZ directive at the beginning of the schedule field.
There are a number of pre-build and post-build actions you can take, and various add-on modules expand this functionality. You can manage builds, Docker containerization, and deployment into Kubernetes clusters from Jenkins build pipelines.
Once the job has been saved, you can run it immediately by returning to the dashboard. Click the little clock to the right of the item listing.
Once a build has been completed, the itemâs workspace will contain the build and console output from the build job. If a job fails, console output is a good point to start troubleshooting.
I remember watching the Truth and Reconciliation Commission hearings broadcast back in 1996. It was my first exposure to the idea of restorative justice, and an incredible lesson in forgiveness. Do I consider the slight against me more heinous than murder and rape that withholding forgiveness might be justified? The weekly broadcast was a reminder of how powerful forgiveness can be.
Juxtaposing those hearings with the Ford/Kavanaugh debacle yesterday highlights a failing in the guilt/punishment driven “justice” system. There are certain crimes where it makes sense to ascribe guilt and mete out punishment — financial reparations when someone has caused monetary loss, removing a person from society when they are apt to continue harming others. I doubt that is the case here. I know what I wanted from the guy who assaulted me — for him to own it and to learn from it. Had Kavanaugh admitted to terrible behavior as a young man, said that there were occasions when he was so drunk he does not recall his actions (thus cannot confidently recall or deny assaulting Ford), been truly remorseful for both his behavior and how his behavior impacted other people, and acknowledged that he is aware of his faults and has stopped drinking (or ceased drinking to excess) and acting in a domineering/privileged way … but, no. We get a belligerent assertion that he is not, well, belligerent. And never drank to excess.
I’d still object to a SCoTUS nominee who thinks it’s debatable whether a president can be indicted while in office. Or that criminal investigations into a president should be deferred until he is out of office. Or that George W approach to torture, extrajudicial detention, and war was a bit of all right. But I would at least get the desire to forgive someone for their decades-old actions if they owned those actions, regretted those actions, and changed.