Geothermal Is Online!

Avatar
by Lisa

We’ve got a functioning geothermal HVAC system running! They finished up the piping from the exterior wall to the furnace.

I was rather excited to see the containers of methanol — filling the tubes is the last step before bringing the system online. I like a nice fire … but it’s a cold way to heat your house.

The loop filling contraption – hooks up to the domestic water supply, mixes the methanol, and pumps it into the loop field. Over a hundred gallons – since we know the diameter (3/4″ in the loopfield, 1.5″ to the house) and the length (8x 200′) … we’ll calculate the volume of the cylinder some day. But for now … we’re got HEAT!!!

About as messy as a bean can be …

Avatar
by Lisa

She managed the full Glastonbury experience without leaving home — shoes stuck in the adobe-eque mud, clay mud coating everything. We’re going to turn the geothermal dig site into Anya construction play land next year — take the toy excavator & dump truck out, make some roads, and generally get filthy.

Mead Tasting!!

Avatar
by Lisa

We siphoned our mead with the 47b yeast into a new container and pulled some out for Christmas dinner. It is really good – a slightly sweet young tasting white wine. We’ve got a gallon left that we’re going to let age. I’m hoping the 71b batches are this good.

Penguin Snacks

Avatar
by Lisa

While looking for a healthy snack for Anya’s preschool Christmas party, I came across quite a few cute but not-for-bunches-of-kids snacks. One of them was penguins made of olives, cream cheese, and carrots. The not-kid-friendly part was the toothpick that holds the whole thing together. Well … turns out you can make them without toothpicks. Don’t move them afterward, walk softly … and there is a lot of intricacy that means I’m not making enough for a party tray. But Anya loved having half a dozen little penguin snacks to munch on today.

Use a small olive and a jumbo olive. Slice a section from the jumbo olive. Roll cream cheese into an oblong shape & stuff into the olive. Slice a carrot into circles, and cut a small triangle from each circle. Set the stuffed jumbo olive on the carrot circle. Put the carrot triangle into the small olive, smear a little cream cheese on the ‘neck’ part of the small olive, then stick it onto the jumbo olive. Voila, one penguin.

Unity

Avatar
by Lisa

Trump’s election-night speech (and several of his subsequent prepared addresses) call for unity – working together, finding a common ground, restoring trust … but what I realize I am not hearing (apart from his unscripted interviews where he seems to say all of his campaign promises are bull and he’s actually willing to listen to facts) is that coming together doesn’t mean embracing his position. I’ve had friends whose idea of compromise was that YOU compromise and do what they want. Not fun people to be around, but a terrible position for government. Basically I don’t care that there were 3 million more of you … I won, so fuck off. Try to get Congress back and stop me in a few years. That’d not unity, it’s repression. Works for a while, but not sustainable. But that’s bringing business acumen to governance – short term gains that make me look good, what happens in four or eight years is the next guy’s problem. I’ll be retired, rich, and well-renown.

Fruity Cakes and Breads

Avatar
by Lisa

It’s the time of year when Americans make fun of fruitcake … which, having seen the strange brick-shaped thing studded with something that claims to be candied fruit … yeah, that thing sucks. But real fruitcake and other breads with real candied fruit/peel are incredible. I’ve got a bunch of fruit and peel candied and have been making breads.

This panettone got scorched at the bottom – I think it was the tin on which I set the baking paper. I’ll use something else next time.

Custom Password Filter Update (unable to log on after changing password with custom filter in place)

Avatar
by Lisa

I had written and tested a custom Active Directory password filter – my test included verifying the password actually worked. The automated testing was to select a UID from a pool, select a test category (good password, re-used password, password from dictionary, password that doesn’t meet character requirements, password containing surname, password containing givenName), set the password on the user id. Record the result from the password set, then attempt to use that password and record the result from the bind attempt. Each test category has an expected result, and any operation where the password set or bind didn’t match the expected results were highlighted. I also included a high precision timer to record the time to complete the password set operation (wanted to verify we weren’t adversely impacting the user experience). Published results, documented the installation and configuration of my password filter, and was done.

Until the chap who was installing it in production rang me to say he couldn’t actually log in using the password he set on the account. Which was odd – I set one and then did an LDAP bind and verified the password. But he couldn’t use the same password to log into a workstation in the test domain. Huh?? I actually knew people who wanted *some* users to be able to log in anywhere and others to be restricted to LDAP-only logons (i.e. web portal stuff) and ended up using the userWorkstations attribute to allow logon to DCs only.

We opened a case with Microsoft and it turns out that their Password Filter Programming Considerations didn’t actually mean “Erase all memory used to store passwords by calling the SecureZeroMemory function before freeing memory.” What they meant was “If you have created copies of the password anywhere within your code, make sure you erase memory used to store those copies by calling SecureZeroMemory …”

Which makes SO much more sense … as the comments in the code I used as our base says, why wouldn’t MS handle wiping the memory? Does it not get cleaned well if you don’t have a custom password filter?? Remarked out the call to SecureZeroMemory and you could use the password on NTLM authentications as well as kerberos!

// MS documentation suggests doing this. I honestly don’t know why LSA
// doesn’t just do this for you after we return. But, I’ll do what the
// docs say…
// LJR – 2016-12-15 Per MS, they actually mean to wipe any COPIES you make
// SecureZeroMemory(Password->Buffer, Password->Length);

 

I’ve updated my version of the filter and opened an issue on the source GitHub project … but if anyone else is working a custom password filter, following MS’s published programming considerations, and finds themselves unable to use the password they set … see if you are zapping your copies of the password or the PUNICODE_STRING that comes in.