Part of our support

Avatar
by Lisa

There’s a sentence in Trump Jr’s released e-mail messages that really stands out to me: “This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump”

For a group of people who have spent almost a year now denying that Russia or its government in any way supported, promoted, aided, or favored Trump … passing around an e-mail thread about something that is part of Russia and its government’s support seems ironic. But extra super odd is that no one — neither Trump Jr, nor the people to whom he forwarded the message — found the phrase worthy of remark. Like they already know about Russia and its government providing support for Trump. More like “this message is part of that ongoing situation we all know about” rather than “this message is part of some new and surprising endeavor”.

Furls Crochet Along

Avatar
by Lisa

Furls makes some beautiful crochet hooks — I picked some up a few years ago in a holiday promo coding failure (free shipping != 50$ off the order) and have been on their newsletter ever since. They’ve got a lot of cool project ideas – a lot of amigurumi critters and crochet along projects. I keep most of them, but nothing has been so awesome that I just had to do it. Until today.

This month’s crochet along project is a sun hat! I am really looking forward to making my own hat. I ordered the materials already – hopefully they’ll get here within a week so I can actually crochet along with the project.

Alternative Fact: Intentions Do Not Matter

Avatar
by Lisa

Alternative Fact: Kelly Ann Conway, in reference to Trump Jr scheduling a meeting with a Russian lawyer who promised damaging info on Clinton but was actually just tricked into scheduling a meeting to discuss adoptions: “Let’s focus on what did not happen in that meeting. No information provided that was meaningful. No action taken. Nothing”

Real fact: I think anyone who has contacted law enforcement officers when trying to put out a hit or got caught up in a solicitation sting can tell you … what you intended to do can be criminal even if your attempt is thwarted. It may be mitigating if he did not know who was offering damaging information about a political opponent. But in the middle of the DNC being hacked and information from the hacks being released (and the candidate specifically requesting the hackers find the deleted e-mail messages), wouldn’t you be suspicious of someone offering up damaging details about the opposition??

Kerberos Authentication on Tomcat

Avatar
by Lisa

I finally got around to testing out TomCat 8 and setting up Kerberos authentication for a “single sign-on” experience (i.e. it re-uses the domain logon Kerberos token to authenticate users). This was all done in a docker image, so the config files can be stashed and re-used by anyone with Docker.

First you need an account – on the account properties page, the DES encryption needs to be unchecked and the two AES ones need to be checked. The account then needs to have a service principal name mapped to it. That name will be based on the URL used to access the site. In my case, my site is http://lisa.example.com:8080 (SPNs don’t mind http/https or port numbers) so my SPN is HTTP/lisa.example.com … to set the SPN, run

setspn -A HTTP/lisa.example.com sAMAccountNameOfMyNewlyCreatedAccount

Then generate the keytab:

ktpass /out .\lisa.example.com.keytab /mapuser sAMAccountNameOfMyNewlyCreatedAccount@EXAMPLE.COM /princ HTTP/lisa.rushworth.us@EXAMPLE.COM /pass P@ssw0rdG03sH3r3

** Note about keytabs – there is a KVNO (key version number) associated with a keytab file. When security-related attributes on the account are changed, the KVNO is incremented. Aaaand you need a new keytab. This means you need to be able to get a new keytab if you plan on changing the account password, but it also means that tweaking account settings can render your keytab useless. Get the account all sorted (check off password never expires if that’s what you want, check off user cannot change password, etc) and then generate the keytab.

While you’re working on getting the SPN and keytab stuff sorted, get docker installed and running on your box. I use Docker CE (free) on my Windows laptop, and I’ve had to disable the firewall to allow access from external clients. I would expect a rule (esp one allowing anything to make an inbound connection to 8080/tcp!) would sort it, but I’ve always had the port show as filtered until the firewall is turned off. YMMV.

I create a folder for files mapped into docker containers (i.e. c:\docker) and sub-folders for each specific container. All of the files from TomcatKerberosConfigFiles are unzipped into that folder. The test website is named lisa.rushworth.us and is either set up in DNS or added to c:\windows\system32\drivers\etc\hosts on the client(s) that will access the site. And, of course, there’s a client machine somewhere logged onto the domain. You are going to need to tweak my config files for your domain.

In jaas.conf — I have debug on. Good for testing and playing around, bad for production use. Also you’ll need your SPN and keytab file name

principal="HTTP/lisa.example.com@EXAMPLE.COM"
keyTab="/usr/local/tomcat/conf/lisa.example.com.keytab"

In krb5.conf — the encryption is about the only thing you can keep. Use your hostnames and domain name (REALM). If you have multiple domain controllers, you can have more than one “kdc = ” line in the realms.

[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = /usr/local/tomcat/conf/lisa.rushworth.us.keytab
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable=true

[realms]
RUSHWORTH.US = {
kdc = exchange01.example.com:88
master_kdc = exchange01.example.com:88
admin_server = exchange01.example.com:88
}

[domain_realm]
example.com= EXAMPLE.COM
.example.com= EXAMPLE.COM

In web.xml – Roles may need to be sorted around (I’m not much of a TomCat person, LMGTFY if you want to do something with roles). Either way, the realm needs to be changed to yours

<realm-name>EXAMPLE.COM</realm-name>

Once Docker is running and the files are updated with your domain info, install the tomcat:8.0 image from the default repository. Start the container mapping all of the custom config files where they go:

docker run -detach --publish 8080:8080 --name tomcat8 --restart always -v /c/docker/tomcat8/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml:ro -v /c/docker/tomcat8/lisa.example.com.keytab:/usr/local/tomcat/conf/lisa.example.com.keytab:ro -v /c/docker/tomcat8/krb5.conf:/usr/local/tomcat/conf/krb5.conf:ro -v /c/docker/tomcat8/jaas.conf:/usr/local/tomcat/conf/jaas.conf:ro -v /c/docker/tomcat8/web.xml:/usr/local/tomcat/webapps/examples/WEB-INF/web.xml:ro -v /c/docker/tomcat8/context.xml:/usr/local/tomcat/webapps/examples/WEB-INF/context.xml:ro -v /c/docker/tomcat8/logging.properties:/usr/local/tomcat/conf/logging.properties:ro -v /c/docker/tomcat8/spnego-r9.jar:/usr/local/tomcat/lib/spnego-r9.jar:ro -v /c/docker/tomcat8/login.conf:/usr/local/tomcat/conf/login.conf:ro -v /c/docker/tomcat8/testAuth.jsp:/usr/local/tomcat/webapps/examples/testAuth.jsp:ro tomcat:8.0

A couple of useful things about Docker — the container ID is useful

C:\docker\tomcat8>docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4e06b32e1ca8 tomcat:8.0 "catalina.sh run" 12 minutes ago Up 12 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:8888->8080/tcp tomcat8

But most commands seem to let you use the ‘friendly’ name you ascribed to the container. Running “docker inspect” will give you details about the container – including its IP address. I’ve found different images use different settings: some map to localhost on my box, some get an IP address within my DHCP range.

C:\docker\tomcat>docker inspect tomcat8 | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",

Since this is an image that maps to localhost on my box, I need the lisa.example.com hostname to resolve to my laptop’s IP address. For simplicity, I did this by editing the c:\windows\system32\drivers\etc\hosts file.

Shell into the container:

docker exec -it tomcat8 bash

Update your packages and install the kerberos client utilities:

root@4e06b32e1ca8:/usr/local/tomcat/conf# apt-get update
root@4e06b32e1ca8:/usr/local/tomcat/conf# apt-get install krb5-user

Then test that your keytab is working:

root@4e06b32e1ca8:/usr/local/tomcat/conf# kinit -k -t ./lisa.example.com.keytab HTTP/lisa.example.com@EXAMPLE.COM
root@4e06b32e1ca8:/usr/local/tomcat/conf# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/lisa.example.com@EXAMPLE.COM

Valid starting Expires Service principal
07/08/2017 18:27:38 07/09/2017 04:27:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/09/2017 18:27:38

Assuming you don’t get errors authenticating using the Kerberos client utilities, try accessing the TomCat site. I’ve added a testAuth.jsp file to the examples webapp – it shows the logon method, user name, and what roles they have:

09-Jul-2017 15:42:55.734 FINE [http-apr-8080-exec-1] org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Verify that your SPN is set to the same name being used to access the site. I’m not sure why the configured service principal name doesn’t supersede the user-entered hostname. But I got nothing but auth failures until I actually entered the hostname into my hosts file and used an address that matches the service principal name.

Legalese

Avatar
by Lisa

So Trump Jr admits that he wanted to have a meeting to get damaging information about Clinton from a Russian attorney but got suckered into talking about adoptions. Sounds bad, but does it count as colluding with a foreign country to undermine a political opponent if you fail spectacularly?

Pressure Washer

Avatar
by Lisa

We got a pressure washer a few days ago. I don’t like using herbicides on the patio (well, I don’t like using them in general), but keeping the brick free of weeds is an inundating task. We’ve got some vinyl that needs to be cleaned anyway, and found a really good deal on a 2000 psi Ryobi pressure washer.

Tested it out to see if it works well and to see how clean ‘stuff’ gets with just water. Wow! I don’t know if the patio bricks have ever been cleaned. I thought they were a darker colour, but it turns out they were just REALLY grubby. It’s a messy and time consuming process – I’m planning to wear my safety glasses when I finish it up because even low velocity sand in the eyeball … not fun. But it’s a lot of fun too (tiring and ironically dehydrating, but fun). Especially when Anya wants to play in the ricocheting water like it is a sprinkler.

Here’s the difference between clean and uncleaned brick — weeds get blasted right out, dirt is cleared off the stones and from between the bricks (certainly need to get sand, between the bricks is washed clean), and nothing was used but water. We were worried about damaging the stones, but 2000 psi didn’t break anything. There was lot of mud piling up as I moved across the patio. I ended up taking a snow shovel and moving the mud off of the patio – otherwise I’d get to a point where the splash-back was making the already cleaned bits filthy again.

Once the patio is cleaned, I want to try it out on the siding and railing vinyl. Hopefully we can clean off the green stuff without detergent too.

 

Saboun Al Ghar Inspired Soap

Avatar
by Lisa

Most old civilizations have traditional artisan production processes that are hard to sustain in the modern world. Some cheeses in Southern France were sustained through government grants until EU regulations considered such support unsporting. Su filindeu pasta now only made by three people in Italy. As war ravages a country, even well sustained traditional methods become endangered. The civil/proxy war in Syria has displaced most if not all producers of صابون الغار (‘Aleppo soap’). While we may not be able to faithfully reproduce the exact process to create what may be the world’s oldest hard soap, I think it is important to preserve the knowledge of the process. The ingredients and proportions. The time and temperature of processing, how the soap is poured onto floors to cool and set whilst being walked on with wooden boards to flatten it out. How it is cut and stacked to cure.

In addition to documenting and preserving the process, derivative processes are developed to preserve some facet of the original product. Fact is, a lot of products are not protected by AOC, PDO, or any of the other “X has to be made in Y using the historic technique Z” regulations. Like the unfortunate not-Cheddar cheese that I find in many American grocery stores, Aleppo soap could be made with coconut oil and dye. And maybe that’s where the objection to cultural appropriation comes from — not an objection to someone respectfully trying to reproduce a cultural artifact but of someone bastardizing the artifact for profit or fashion. Reproducing sacred items for frivolity.

After reading about the displaced soap masters, I want to make a soap inspired by the Aleppo process. I need more experience with hot processing soap to follow the traditional long cook method, but I want to hot process the soap to control which oils comprise the superfat. Fully saponify the olive oil, then add the laurel berry oil and saponify some of it.

Then comes the actual recipe – the challenge with traditional soap recipes is that the saponification factor of ash varies. Buying sodium hydroxide yields a consistent product useful in recipes with precise measurements. Ghar soap recipes have percentages of olive oil to laurel berry oil, but more or less call for enough ash. I’m debating between five and ten percent superfat. Five percent seems fairly standard for soap recipes, so I’m leaning in that direction. But I wanted to continue researching authentic recipes before finalizing my ingredients.

Butterfly Garden

Avatar
by Lisa

We have a small pond in the back yard and a bricked in courtyard in front of the house. I am building butterfly gardens with native plants in both areas. Hopefully we’ll be able to sit in the dining room and watch butterflies hatch.

Here are the plant that I’ve ordered

Common Name Botanical Name Type
Partridge Pea Chamaecrista fasciculata Host and Nectar Plant
Showy Milkweed Asclepias Speciosa Host and Nectar Plant
Western Sand Milkweed Asclepias arenaria Host and Nectar Plant
Wild Petunia Ruellia humilis Host and Nectar Plant
Butterfly Weed Asclepias tuberosa Host Plant
Common Milkweed Asclepias syriaca Host Plant
Whorled Milkweed Asclepias verticillata Host Plant
Blue Sage Salvia Salvia azurea Nectar Plant
Cardinal Flower Lobelia cardinalis Nectar Plant
Iron Weed Vernonia altissima Nectar Plant
Orange Coneflower, Orange Black-eyed Susan Rudbeckia fulgida Nectar Plant
Purple Prairie Clover Dalea purpurea Nectar Plant
Royal Catchfly Silene regia Nectar Plant
Sweet Joe Pye Weed Eupatorium purpureum Nectar Plant
Wild Bergamot, Wild Bee Balm Monarda fistulosa Nectar Plant
Golden Alexanders Zizia aurea Host Plant
Michigan Lily Lilium michiganense Nectar Plant
Rose Milkweed Asclepias incarnata Host and Nectar Plant
Purple Coneflower Echinacea purpurea Nectar Plant
Wild Lupine Lupinus perennis Host Plant
Wild Senna Senna hebecarpa Nectar Plant

Making Soap Molds

Avatar
by Lisa

I want to design and print my own soap molds – special holiday bars or pre-stamped bars. We’re still working on setting up the 3d printer, so haven’t tried anything yet. I have a few downloadable soap mold forms bookmarked (https://www.thingiverse.com/thing:1806226/apps happens to be up in another tab now, but search thingverse for ‘soap mold’ and you will find quite a few).

The trick will be finding an appropriate filament — one that won’t melt at soaping temps (something I need to better understand) but can still be extruded at my printer temp (190-250C). Preferably a not-too-rigid filament with a little bit of flex. That’s trial and error – expensive, too, when buying whole rolls of filament. I found http://globalfsd.com/ (there’s both a US and European site) that sells small quantities of many filiments, and I’ve purchased a bunch that *seem* like they might work.

What I planned to do until I can identify a perfect filament for non-melting and easy to remove soaps is create positive forms on the 3d printer (essentially print what you want a bar of soap to look like) and then google up a procedure for making a silicon mold (uneducated guess is glop some silicon ‘stuff’ onto the positive form to create the negative silicon mold).

For anyone wanting to play with a 3d printer without dropping a couple hundred bucks on it: check your local library. Ones around here are building “maker spaces” with 3d printers, embroidery machines, engraving machines, large format printers, etc. You pay for consumables (i.e. filament in this cae) but gain familiarity with the machines before deciding to invest in one.

Logic

Avatar
by Lisa

Trump wants to help some poor baby in England who has an incurable disorder and really no hope for recovery. Of course he doesn’t want to help people with mitochondrial DNA depletion syndrome by funding medical research. He doesn’t want to help Americans with any sort of disorder by ensuring they have affordable health insurance. Or, hell, a single payer system where they don’t need insurance to obtain rehabilitative medical treatments. The new American health care strategy  — develop SEO and social strategies to ensure your sad medical story gets a presidential view and thus you win medical care.

Or perhaps, profiteer that he is, Trump wants to help someone who has raised 1.7 mil come here and spend it. How much does he care about thousands of other terminal kids around the world who don’t have a couple mil to blow? Consistent with the new GOP health care plan: “make sure you have a load of cash on hand”.

I’ve long maintained that humans are not able to perform as rational actors in a free market when it comes to their health care. We may be limited by reality, but I suspect anyone who could come up with a billion dollars would be willing to spend a billion dollars to save their life. Looking at the fundraising for this kid, I realize we are not capable of performing as rational actors when it comes to other people’s healthcare either. A fact which reflects well on society, but makes any capitalistic form of medical care irrational.

More telling, he doesn’t want to subjugate his desires to expert opinion or reality. Sometimes modern medicine cannot do anything to save a person. Terribly sad fact, but still a fact. The question then becomes what measures should be taken to prolong an individual’s life. I have had older friends with DNR (do not resuscitate) orders – or more specific documented requests of what they would and would not like to be done to prolong their lives. How much money is it reasonable to spend allowing machines to breathe for someone who is effectively dead? How many people’s lives could be saved with 1.7 million dollars?! It’s these kinds of questions that make health care policy “hard”, but they need to be answered in a way that is consistent with legal frameworks and funding. Especially funding — if we value life so dearly, then we are willing to pay millions of dollars to stave off physical death for those with no hope of recovery. This means either taxes, insurance premiums, or both. Or we draw a line somewhere. And, yeah, it sucks when your loved one is on the other side of the line. But it sucks that your loved one has no hope of recovery too. There’s anger and the bastards refusing to pay for this treatment are an easy target. If we could only sustain his body for a few more decades as medical science advances …

Then agree to pay more for insurance when you are younger to balance out the pricing for older and sicker people. Or agree to cede more of your earnings for taxes that will fund all available medical care for the duration of any sick person’s artificially prolonged life. Both providing infinite care and not paying for it is not an option given the freedoms we have in this country.