Drafts of the non-beer variety

Avatar
by Lisa

Back when gays were banned from the military, I figured there was either an implied belief that we would never need to draft soldiers again or a big ‘*’ following the ban. Because unless they’re requiring video evidence of your disqualification, I’d happily claim to want to do chicks to avoid becoming cannon fodder. Hell, even if they demand evidence, I would do another chick to avoid being drafted. Became a moot point when the ban was lifted. And then came Trump.

Now trans individuals are banned from the military, can you instantly avoid conscription by claiming to be trans-gendered? The technical definitions I’ve seen are based on internal experiences and feelings – there’s no requirement to undertake reassignment surgery or ingest hormones. Which also brings into question the flimsy “their medical expenses are exorbitant” argument.

Beyond the actual maybe-a-policy-change that has been made, are tweets now considered official statements of government policy?! Or Trump’s got absolutely no intention of actually implementing the policy and just wanted a bunch of bigoted supporters to go back to loving him.

Furls CAL – Sun Hat

Avatar
by Lisa

WooHoo! The sun hat crochet along finally reached the pattern stage! I used the same cream coloured yarn for the main hat, but have a slightly iridescent light green yarn for the accent. I’m thinking about making Anya’s hat in reverse – using the green for the main yarn with cream as an accent. Partially because I don’t like having the exact same thing and partially because inverting the colours uses the yarn more efficiently (otherwise I am going to have a heap of the accent colour left over!)

Round four completed:

I have trouble keeping track of the start and end of rounds — not a problem unique to this pattern, Anya’s star blanket was just as tricky for me. Easy enough to re-count the stitches on early rounds — and frogging a few stitches isn’t such a big deal. As the project progresses to the point where a round comprises 40 or 50 stitches, adding or missing a stitch is a pain to correct. I’ve tried using those little round stitch markers, and honestly I just don’t get it. If they had splits in the rings and could easily slip back off of the project … that would make sense to me.

I’ve come up with an easy method to keep track of rounds — a water soluble marker I use for marking dress patterns. Test it on your yarn to make sure it comes off completely (and mark in an inconspicuous spot just in case). Which stitch it makes sense to highlight will vary by pattern. Here, the chain stitch which starts each round does not count as the first stitch. I chose to mark this ‘skipped’ stitch. The round should end immediately before the marked stitch, and the first hdc from the round into which the last hdc is slip stitched is immediately after it. Chain one and mark again. See the little blue marks on the “inside” of the hat? Those are my ch stitches. Voila, two rounds without frogging anything 🙂

On Firing People

Avatar
by Lisa

The new press guy @ the White House told the press he was planning Michael Short, and then seemed dismayed that the press somehow knew the fellow was being fired before it happened. Goofy, really, but not the worst thing the Trump admin’s going to do this week. What struck me, though, is the way Scaramucci expressed his displeasure. “The fact that you guys know about it before he does really upsets me as a human being and as a Roman Catholic. You got that? So I should have the opportunity if I have to let somebody go to let the person go in a very humane, dignified way”.

Not saying I disagree with him – there are some things that should be done in person and without previous publicity. There’s a reason victims names are withheld until family is notified. There’s a reason texting someone to break up with them has such a bad reputation. And there’s a reason that James Comey delivering a speech while seeing his termination broadcast on national television was such a horrifying way to fire someone. The juxtaposition made Scaramucci’s complaint extra ironic.

Visual Studio Code

Avatar
by Lisa

We found a free, open source code editor from Microsoft called Visual Studio Code — there are downloadable modules that include formatting for a variety of programming languages (c#, cpp, fortran), scripts (perl, php), and other useful formats like MySQL, Apache httpd config files. It also serves as a GUI front end to git. And that is something I’ve been trying to find since I inherited a git server at work — a way for people to avoid having to remember a dozen different git commands.

Business Practices To Avoid

Avatar
by Lisa

Don’t ignore your customers. Seems obvious, but failing to engage customers undermines large corporations. I worked for one of Novell’s last big customers back in 2000-2010. We had the misfortune of being in the same territory as their biggest customer, FedEx, so got little sales attention. We were having problems managing computers without using the Active Directory domain — the dynamic local user Zen component that hooked the Novell GINA and created/maintained local user accounts had been used before an NT4 domain even existed within the company. In perusing their web site, I identified a product that perfectly met our needs *and* managed mobile devices (which was an up and coming ‘thing’ at the time). Why, I asked the sales guy, would you not pitch this product to us when we tell you about the challenges we are trying to address? No good answer, but it really was a rhetorical question. There wasn’t a downloadable demo available, you had to engage your sales rep to get a working demo copy — I asked for one, and he said he’d get one to me when he got back to his office.

Nothing. Emailed him a week later in case he just forgot. Oh, yeah, I’ll get that right out to you. A few weeks later, emailed him again. A few weeks later — well, let’s be serious here. We started using Exchange in 2000, and had an Active Directory domain licensed for all users anyway. We were willing to consider paying real money for the Novell product because the migration path was easier … but from a software licensing perspective, switching workstation authentication to AD was a 0$ thing. Needed a few new servers to handle authentication traffic – I think I went with five at about three thousand dollars each. Deployment, now that’s a nightmare. I wrote custom code to re-ACL the user profile directory and modify the registry to link the new user.domain SID to the re-ACL’d old profile directory. It got pushed out via automated software deployment and the failures would call in each morning. Even a 1% failure rate when you’re doing 10,000 computers a week is a lot of phone calls and workstation re-images. (At a subsequent employer, we made the same change but placed workstations into the domain as they were re-imaged for other reasons. New computer, you’re in the domain. Big problems with your OS, you’re in the domain. Eventually we had a couple hundred computers not yet in the domain and the individual users were contacted to schedule a reimage. Much cleaner process.)

The company didn’t last much longer — they purchased SuSE not much later. The sales guys came back – we used RHEL but would have happily bundled our Linux purchases into the big million dollar contract. How much are you looking to charge for updates? Dunno. How much is support? Dunno. Do you know anything about the company’s sales plan for SuSE? Not a thing. Well … glad you could stop by? I guess.

As far as software companies go, this is ancient history. But it’s something I think of a lot when dealing with Microsoft these days. There’s a free mechanism that allows you to use your existing Active Directory to store local workstation admin account passwords. Local workstations manage their own passwords — no two passwords are the same; you can read the individual computer’s password out of AD and provide it to the end user. Expire the computer’s local admin password and next time it communicates with the domain, the password will be changed. Never heard of it from the MS sales guy – someone found LAPS through random web searching. Advanced Group Policy Management that provides auditing and versioning for group policies – not something our MS reps mentioned. Visual Studio Code – yet another find based on random web searching. I know it isn’t the sales guy’s job to tell me about every little bit of free add-on code they have created, but isn’t it in their best interest to ensure that the products that we have become an intrinsic part of our business processes? I tell our SharePoint group that all the time — there are a lot of web based content management platforms. If all you use it for is avoiding web coding … well, I’ve got WordPress that does that. Or some Atlassian wiki thing. And some Jive wiki thing. And some Xerox document repository that has web pages. You need to make something unique to your product intrinsically entwined with business oeprations so no one would ever think of replacing your product.

Soap Fluff Explosion

Avatar
by Lisa

I made our saboun al ghar inspired soap today. First attempt at hot processing soap, and I had a massive soap explosion. I’d read that your container should be at least three times the volume of soap you are processing. I went with five times in an attempt to stave off a big mess. Blended my pomace olive oil and lye/water/salt mixture to a light trace, and set it over medium heat. It thickened, just like it supposed to. It turned into a gloopy oily mess, just like it supposed to. For future reference — the gloopy oily mess stage is where you want to keep a close eye on it and don’t look away for a minute. I turned back around and saw odd foamy soap stuff pouring out of the pot. Oops!

I scooped the soap fluff off the side of the pot and back into the pot and stirred it down. The fluff quickly turned into a slick substance that did look exactly like petroleum jelly. I added the laurel berry oil, stirred well to incorporate, and let cook for a few more minutes until it looked like petroleum jelly again.

The whole mess was glopped into my large silicon lined wooden soap mold. Now it just needs to set for a while and harden.

24/7 Campaign

Avatar
by Lisa

How can you be the president of the entire country if you cannot even be the president for the entire military?

The address Trump gave at the commissioning of the USS Gerald Ford may reflect the increasingly long campaign cycle or it may reflect his complete misunderstanding of government (not to mention a complete misunderstanding of how military health care works!). He encouraged (ordered? Not speaking to intent; but as the ostensible head of the military, it would behoove him to use more care in selecting what will be communicated to military personnel) those assembled to “call those senators to make sure you get health care”.

A generous interpretation would be that he isn’t letting an opportunity to push for his legislative agenda pass by – this will be televised, reported … but who stands up at a guy’s retirement party to laud himself and ignore the retiree? Or at a commencement to congratulate yourself … oh, wait. That’d be Trump too. A man seemingly incapable of participating in an event and not making it about himself. Even the generous interpretation is essentially “I’m too self-centered to let your thing be the highlight here”.

But beyond the optics of using the commissioning of a naval vessel as a campaign rally, the ACA does not have a whole lot to do with health care for the active duty military personnel to whom he was ostensibly speaking. TRICARE covers them. It qualifies as insurance under the ACA, so they’re set. Given Trump’s other outright nonsensical ramblings on health care, this in and of itself is telling. Enlisted persons have no more need to lobby for whatever ACA replacement is currently on the table than members of Congress. It’s not going to fuck up their coverage.

Worse, though, the military may report to the president like employees report to the CEO … but it isn’t like we changed out the military for a Republican one in January. They may fight to defend the country, but they are not obligated to support the legislative initiatives of the current administration. From his speech at the CIA Memorial Wall bemoaning how unfairly the press treats him — imagine a similar topic being delivered in front of the Vietnam Veterans Memorial Wall — to this most recent address, Trump seems ignorant of the fact there are liberal government employees and military staff. There are Libertarians. Red scare McCarthyism aside, there are probably socialists too. Point being — there were people in the audience who do not want either of the current Congressional health care plans to pass (given it’s approval rating, the majority of the crowd may even feel that way!) and how insulting is it that the speaker would co-opt what was meant to be a naval celebration to rally support for something to which you object?!

Different when it’s your own

Avatar
by Lisa

People are forever saying situations are different when it is your own kid, but I’m starting to apply that logic to special [council | prosecutor] investigations. Kelly Anne Conway, on Fox News Friday: “Let’s go back to what the purpose of the investigation was: Russian interference in our election. Where is this going and are Americans comfortable with that — with the taxpayers funding this, with this going off all types of chutes and ladders?”

Hello? What was the point of Ken Starr’s investigation? Some real estate investments. What does that have to do with extra-marital affairs? Well, it’s where the investigation led. And laundering Russian money is where the investigation into Russian support of the Trump campaign leads.

Talking About Adoptions

Avatar
by Lisa

The fact that seems to be missing from reporting on Trump Jr’s meeting and Trump Sr’s unadvertised meeting with Putin where they “talked about adoptions” is that the 2012 Russian restriction on adoptions was retaliation for the US passing the “Russia and Moldova Jackson-Vanik Repeal and Sergei Magnitsky Rule of Law Accountability Act of 2012”. The American law barred eighteen specific Russians from entering the US *and* froze their American holdings.

There’s no talking about adoptions without also talking the sanctions. It isn’t like the Russians were offering to unilaterally remove the adoption ban. “Talking about adoptions” is essentially a euphemism for discussing the removal of sanctions against a bunch of super wealthy Russians who are probably well-connected to Putin.

Setting Up A New Email Domain – With SenderID and DK/DKIM TXT Records

Avatar
by Lisa

If you are going to begin using e-mail on a sub-domain of an existing zone, you do not need to do anything special to register the sub-domain. If this is a new domain, it needs to be publicly registered first. The examples used here-in will be a mail domain subordinate to windstream.com. If you are performing the tasks for a new zone, create the new zone first.

To allow e-mail exchange with a domain, create MX record(s). For a third party vendor, they need to tell you what their mail exchangers are. For internally hosted services, use the same assignments and weights from Windstream.com. As of 19 July 2017, those are:

windstream.com  MX preference = 10, mail exchanger = dell903.windstream.com

windstream.com  MX preference = 20, mail exchanger = vml905.windstream.com

windstream.com  MX preference = 110, mail exchanger = neohtwnlx821.windstream.com

Within Infoblox, you need to be using the external DNS view. You can create matching records internally – we tend not to create internal MX records as it prevents internal multi-mailer infections from routing messages. In the proper zone, click Add => Record => MX Record

The mail destination will be the subzone (here we are exchanging e-mail with @ljrtest.windstream.com)

Save this change and create the other MX records. ** You need to clue the servers into the fact this domain is now valid. ** On each server, edit /etc/mail/access and add

Ljrtest.windstream.com  RELAY

If you want to use the virtusertable to map addresses within the domain, you also need to add the domain name to /etc/mail/virtuser-domain

Finally, you need to send the mail somewhere. Edit /etc/mail/mailertable and set a relay destination of somewhere that knows about the domain and is processing mail for it (is that our Exchange server? Someone else’s Unix server? An acquired company’s mail server? … depends on what you are trying to do!)

rushworth.us    relay:[10.5.5.85]

Save, make, and restart sendmail … now you have a fully functional external email domain.

Now secure it – that means adding sender policy framework (SPF), domain key (DK), and domain key identified mail (DKIM) records.

SPF and SenderID Records

There are both sender policy framework (v1) and SenderID (v2) records – you can create both. Not too many people use SenderID anymore, but I invariably end up finding the one guy who is evaluating mail validity purely on SenderID when I create just the SPFv1 record.

In InfoBlox, select Add => Record => TXT record. The mail destination from the MX record needs to be put in the “Name” field. Then the text value – what is that?

Quick answer is it depends. A SPF record lists all mail servers that should be sending e-mail for a domain. Is that just our MX servers? The MX servers plus the netblocks for the internal relays? Some third-party vendor?

Our MX servers and a few netblocks would be:

SPF V1: “v=spf1 mx ip4:166.150.191.128/26 ip4:98.17.202.0/23 ip4:173.186.244.0/23 ip4:65.114.230.67/32 ip4:64.196.161.5/32 ?all”

SPF V2: “spf2.0/pra mx ip4:166.150.191.128/26 ip4:98.17.202.0/23 ip4:173.186.244.0/23 ip4:65.114.230.67/32 ip4:64.196.161.5/32 ?all”

If there is a third-party vendor, they may provide an include statement for our SPF record – this is a way of referencing an external company’s SPF record within your own. You’ll see “include:mktomail.com” in our SPF records where Marketo sends mail on our behalf.

The final bit – we use ?all which means these may not be all of the servers sending mail on our behalf – we are not making an assertion beyond saying the listed sources are good. You may see vendors requesting “~all” which is a soft fail — still allows mail to pass if the sender does not match the list. The strictest is “-all” which fails mail coming from any source not in the list.

Does it matter? Depends – if a recipient has configured their mail servers to reject mail based on SPF and you use -all … mail from servers not on the list will be rejected. Not a lot of companies are thusly configured, though … so there’s not a whole lot of effective difference.

The final step is to test the SPF record. The easiest way to do so is an online SPF test site like http://tools.bevhost.com/spf/

I usually test both a host on the list and one not. The ones on the list will pass. The ones not on the list may fail (with -all) or report as neutral (?all).

DK/DKIM Records

DK and DKIM are public/private key based header signatures that assure the validity of the e-mail sender. The first thing you will need is a public/private key pair – these do not have to be trusted keys from a public certificate authority. A vendor or another internal group may provide their own public key for inclusion in our DNS record. Do not provide our private key to anyone else – keys are free, and if they are unable to generate one of their own, make one for them!

You can use openssl (openssl genrsa -out dkimkey.private 1024 followed by openssl rsa -in dkimkey.private -out dkimkey.public -pubout -outform PEM), an online generator, or the Web CA server. Once you have a key pair, you need a selector. This is because different mail servers may send mail for a domain whilst using unique private keys to sign the messages. The selector can be anything – the selector name is configured in the mail server. It is visible in the mail headers and mail logs, so don’t elect to use anything rude. Stash the private key on your mail server (or provide it to the mail server owner) and put the public key in a DNS TXT record “selectorname._domainkey.sub.domain.gTLD”. The k= indicates the key type (rsa in the openssl example), you can indicate signatures are being tested “t=y” if desired, and then paste the bits between —-BEGIN PUBLIC KEY—- and —-END PUBLIC KEY—- into the p= part.

k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0s07391Axpsi/G0PTsO1 io1LOXSZ0bWAku4bgJ//swZj8OlFvDo59n9qC2Wsd21afI3si/PdDoDP69HNdgAT tIPaK6J0UqcCo9RNSiM3uA+GngdgTupwE2KrKn9/WQbC0tDA8e64e0HBHXwcF/ru OF+18LvpoA/cu1TFUNk0z+GSvqQ4L79k+gZWALvJL7kvCMIu3Gy8ZJpNerRSdrYH l/Nvg87dlZ+9yRI33IwNYpVl1UIrd6qLnGgM1xDMF+Sn21Obd06FOkV5ObXqKBPv 7gMhsUOPu8cIWK7wrd143wH5sWWX1VCBhhIEv1GFp6+SotvZayH5fQ/ri+BjWYzf PwIDAQAB

You should have an author domain signing practices record (_adsp._domainkey.sub.domain.gTLD) – this tells recipients what to do if a message is not signed. The content is “dkim=all” when all mail from the domain is signed. If all mail is signed and anything not signed should be dumped, then the content is “dkim=discardable”. This does not ensure that unsigned messages are discarded – that decision is up to the individual mail recipient configurations. To make no assertion, use “dkim=unknown”.

You should also have a _domainkey.sub.domain.gTLD record – you can include “t=y” when you are testing – this instructs recipients to treat signed and unsigned mail no differently. You can include notes (n=), a responsible party for the domain (r=). The important one is o= … “o=-“ means all mail from the domain should be signed, “o=~” means some mail from the domain may be unsigned.

Then test the records – you can send a message to autorespond+dkim@dk.elandsys.com and receive back a very detailed report on the DKIM validation, or you can use a web-based validation tool that checks only the DNS components.