Month: March 2017

Alternative Fact: Incidental Intercept

Alternative Fact: The Obama administration has “wiretapped” (now in quotes, which evidently means intercepted some type of communication using any number of means) Trump. Or his associates.

Real Fact: If an investigative agency has legitimate orders permitting them to intercept communications of a specific individual or location and they happen to pick you up because you are communicating with that individual or location, *you* are not being spied on.

The Russian Ambassador in DC was being spied on – but I’m sure Kislyak knew that a decade or so before when he took the role so this isn’t exactly earth shattering news as much as “standard operating procedure”. If it makes you feel better, I’m sure the Russians surveil Spaso House. And anyone who happens to ring that number gets their communication intercepted too. Hell, I would bet that Ambassadors.

If you really want to think about it, all sorts of people are probably picked up in incidental intercepts. Why is that? Start reading the actual laws that supposedly allow surveiling foreigners without impugning the rights of American citizens. And how poorly those protections actually protect our rights. Actually read the Foreign Intelligence Surveillance Act. Too long, at least read up on Section 702 surveillance. In a bit of extra irony, it was Nunes who was called out for misrepresenting the risk of ‘backdoor’ searches where American citizens have communications intercepted under these “save us all from the terrorists” laws. Before getting a warrant for *you* specifically (well, provided you’re doing something dodgy), I’m certain law enforcement queries their database of collected information to see if they’ve already got something on you. So basically Nunes is sure the existing laws protect us, ordinary citizens … but the exact same laws were horribly abused to spy on Trump. Basically it’s fine for everyone else, but this law shouldn’t apply to ME.

 

From Russia, With Love

The more I hear about Flynn communicating with Ambassador Kislyak, the stranger it seems. Why the subterfuge? Surely the Russians knew Trump won the election, and they knew when he took power. Even if they didn’t think Trump would remove any sanctions put in place (why object to something you know is going to be rescinded in a few weeks?), the strategic move would be to wait for an inexperienced administration before taking any retaliatory action. There was absolutely no reason to tell the Russians “hey, don’t worry about the sanctions being put in place by the current administration. we’ll get you sorted in January”.

Learning From History

It is not yet hurricane season, but there are other sorts of natural disasters that aren’t so predictable. And there is not a director of FEMA. Some directors have a great deal of experience in disaster management, and some (GW’s guy who couldn’t manage to run the Arabian Horse Association) are sweet jobs given to friends or political supporters. After FEMA’s performance during Katrina, I expected the office to become the exclusive domain of people with disaster management experience. Folks from the Red Cross, or National Guards, or disaster response agencies from states prone to disasters. For some time, that expectation was realized.

Then came Trump. Like many facets of government where Republicans think government is just wasting money or causing problems … well, he hasn’t even managed to nominate a political hack to serve as the agency head. There’s no one. I have a lot of experience in M&A – any time your department doesn’t get a manager in the new org, update your resume. Your functionality is not going to be around much longer. Because, like we don’t actually ‘need’ the DOE (an agency that keeps track of nuclear materials and intercepts it on the black market) … evidently we don’t need FEMA??

Book “Guitars”

I’ve been trying to play some more teaching games with Anya. Today’s activity was building our own guitar-like instrument. A small box with a hole cut in it would work well, but we used a couple of her board books. Stretch a few rubber bands around the book (I’m a little uptight, so I put them in a specific tonal order … hers are a haphazard arrangement), then insert something under the bands along the book to raise the bands up a little bit from the book. A wooden block, a marker, and a glowstick all worked well. If you put the object toward the center of the rubber bands, then you get two different notes per band.

LAPS For Local Computer Administrator Passwords

Overview

LAPS is Microsoft’s solution to a long-existing problem within a corporation using Windows computers: when you image computers, all of the local administrator passwords are the same. Now some organizations implemented a process to routinely change that password, but someone who is able to compromise the local administrator password on one box basically owns all of the other imaged workstations until the next password change.

Because your computer’s local administrator password is the same as everyone else’s, IT support cannot just give you a local password to access your box when it is malfunctioning. This means remote employees with incorrect system settings end up driving into an office just to allow an IT person to log into the box.

With LAPS, there is no longer one ring to rule them all – LAPS allows us to maintain unique local administrator passwords on domain member computers. A user can be provided their local administrator password without allowing access to all of the other domain-member PCs (or a compromised password one one box lets the attacker own only that box). A compromised box is still a problem, but access to other boxes within the domain would only be possible by retrieving other credentials stored on the device.

Considerations

Security: The end user is prevented from accessing the password or interacting with the process. The computer account manages the password, not the user (per section 4 LAPS_TechnicalSpecification.docx from https://www.microsoft.com/en-us/download/details.aspx?id=46899).

Within the directory, read access is insufficient (per https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad/) to view the attribute values. In my proposed deployment, users (even those who will be retrieving the password legitimately) will use a web interface, so a single service acct will have read access to the confidential ms-Mcs-AdmPwd attribute and write access to ms-Mcs-AdminPwdExpirationTime. There are already powershell scripts published to search an improperly secured directory and dump a list of computer names & local administrator passwords. You should run Find-AdmPwdExtendedrights -identity :<OU FQDN> to determine who has the ability to read the password values to avoid this really embarrassing oversight.

Should anyone have access to read the ms-Mcs-AdmPwd value beyond the service account? If the web interface goes down for some reason, is obtaining the local administrator password sufficiently important that, for example, help desk management should be able to see the password through the MS provided client? Depends on the use cases, but I’m guessing yes (if for no other reason than the top level AD admins will have access and will probably get rung up to find the password if the site goes down).

In the AD permissions, watch who has write permission to ms-Mcs-AdminPwdExpirationTime as write access allows someone to bump out the expiry date for the local admin password. Are we paranoid enough to run a filter for expiry > GPO interval? Or does setting “not not allow password expiration time longer than required by policy” to Enabled sufficently mitigate the issue? To me, it does … but the answer really depends on how confidential the data on these computers happens to be.

With read access to ms-Mcs-AdmPwdExpirationTime, you can ascertain which computers are using LAPS to manage the local administrator password (a future value is set in the attribute) and which are not (a null or past value). Is that a significant enough security risk to worry about mitigating? An attacker may try to limit their attacks to computers that do not use LAPS to manage the local admin password. They can also ascertain how long the current password will be valid.

How do you gain access to the box if the local admin password stored in AD does not work (for whatever reason)? I don’t think you’re worse off than you would be today – someone might give you the local desktop password, someone might make you drive into the office … but bears considering if we’ve created a scenario where someone might have a bigger problem than under the current setup.

Does this interact at all with workplace join computers? My guess is no, but haven’t found anything specific about how workplace joined computers interact with corporate GPOs.

Server Side

Potential AD load – depends on expiry interval. Not huge, but non-zero.

Schema extension needs to be loaded. Remove extended rights from attribute for everyone who has it. Add computer self rights. Add control access for web service acct – some individuals too as backup in case web server is down??

Does a report on almost expired passwords and notify someone have value?

Client Side

Someone else figures this out, not my deal-e-o. Set GPO for test machines, make sure value populates, test logon to machine with password from AD. Provide mechanism to force update of local admin password on specific machine (i.e. if I ring in and get the local admin password today, it should get changed to a new password in some short delta time).

Admin Interface

Web interface, provide computer name & get password. Log who made request & what computer name. If more than X requests made per user in a (delta time), send e-mail alert to admin user just in case it is suspicious activity. If more than Y requests made per user in a (longer delta time), send e-mail alert to admin user manager.

Additionally we need a function to clear the password expiry (force the machine to set a new password) to be used after local password is given to an end user.

User Interface

Can we map user to computer name and give the user a process to recover password without calling HD? Or have the manager log in & be able to pull local administrator for their directs? Or some other way to go about actually reducing call volume.

Future Considerations

Excluding ms-Mcs-AdmPwd  from repl to RODC – really no point to it being there.

Do we get this hooked up for acquired company domains too, or do they wait until they get in the WIN domain?

Does this facilitate new machine deployment to remote users? If you get a newly imaged machine & know its name, get the local admin password, log in, VPN in … can you do a run-as to get your creds cached? Or do a change user and still have the VPN session running so you can change to a domain user account?

LAPS For Servers: Should this be done on servers too? Web site could restrict who could view desktops v/s who could view servers … but it would save time/effort when someone leaves the group/company there too. Could even have non-TSG folks who would be able to get access to specific boxes – no idea if that’s something Michael would want, but same idea as the desktop side where now I wouldn’t give someone the password ‘cause it’s the password for thousands of other computers … may be people they wouldn’t want having local admin on any WIN box they maintain … but having local admin on the four boxes that run their app … maybe that’s a bonus. If it is deployed to servers, make sure they don’t put it on DCs (unless you want to use LAPS to manage the domain administrator password … which is an interesting consideration but has so many potential problems I don’t want to think about it right now especially since you’d have to find which DC updated the password most recently).

LAPS For VDI: Should this be done on VDI workstations? Even though it’s a easier to set the password on VDI the base VDI images than each individual workstation, it’s still manual effort & provides an attack vector for all of the *other* VDI sessions. Persistent sessions are OK without any thought because functionally no different than workstations. Non-persistent with new name each time are OK too – although I suspect you end up with a BUNCH of machine objects in AD that need to be cleaned up as new machine names come online. Maybe VDI sorts this … but the LAPS ‘stuff’ is functionally no different than bringing a whole bunch of new workstations online all the time.

Non-persistent sessions with same computer name … since the password update interval probably won’t have elapsed, the in-image password will be used. Can implement an on-boot script that clears AdmPwdExpirationTime to force change. Or a script to clear value on system shutdown (but that would need to handle non-clean shutdowns). That would require some testing.

 

Testing Process

We can have a full proof of concept type test by loading schema into test active directory (verify no adverse impact is seen) and having a workstation joined to the test domain. We could provide a quick web site where you input a computer name & get back a password (basically lacking the security-related controls where # of requests generate some action). This would allow testing of the password on the local machine. Would also allow testing of force-updating the local admin password.

Once we determine that this is worth the effort, web site would need to be flushed out (DB created for audit tracking). Schema and rights would need to be set up in AD. Then it’s pretty much on the desktop / GPO side. I’d recommend setting the GPO for a small number of test workstations first … but that’s what they do for pretty much any GPO change so not exactly ground breaking.

Self Driving Cars (or Market Driven Algorithms)

I don’t see much of a future for self-driving passenger vehicles. There are two non-tenable options for crash avoidance algorithms. Either the algorithm prioritizes my life and property (which means it would kill someone else to save my life … good for me, bad for society) or it won’t (great for society, but am I going to pay money for a car that will literally kill me to save someone else?). Does the computer assisted human driving model suffer this flaw? An algorithm that engages the brakes any time there is an obstacle within X feet fails to consider the vehicle that is about to slam into the side of your car if you don’t move it into the shrubbery ahead of you.

Self-driving unoccupied vehicles can simply de-prioritize itself (and the owner needs to accept that financial risk). We may see driving as a service (DaaS?) where a real human is responsible for making these split-second decisions. But allowing people to achieve the metro experience in their own vehicle (i.e. you sit and work for half an hour whilst your conveyance delivers you to your destination) is probably not going to happen.

Introduction to Addition and Subtraction

I came up with a game to visualize the concepts of addition and subtraction. I asked Anya to get a couple of stuffed toys and line them up on the floor. She brought three. I then asked her to hide one under the table and tell me how many there were (2). Then hide two under the table and see how many (0). Then take one out from the table and put it in the pile – now we have one. Add two more – we have three. Add one more … oops, had to run upstairs and get another one. Now we’ve got four. Subtract two – hide them under the table. Now that the terms ‘add’ and ‘subtract’ have been introduced, I began to just say ‘add #’ and ‘subtract #’.

Then we worked on a little algebra — you have two in your pile now. How many do you need to add to make five? Don’t know … well make a second pile … three, four, five. How many are in that second pile? Three – so if you have two and want to have five … you need three more.

Alternative Facts: Maths Edition

Alternative Fact: From Mick Mulvaney (Director of the Office of Management and Budget) on CNN:

“But you could have a long conversation, when you have got a numerator and a denominator, how to arrive at a percentage.”

Real Fact: When you have a numerator (call it X) and a denominator (call it Y), you arrive at a percentage using the formula:

( (X/Y) * 100) %

If this involves a *long conversation*, either you are teaching someone a new concept or they are screwing with you (let’s debate the pros and cons of Excel, long division on paper, the calculator on my phone).

Homemade Ice Cream Take 1

During the Christmas-time sales, I bought an ice cream attachment for our Kitchenaid mixer. The bowl has been stashed in the freezer portion of a refrigerator/freezer for several months. I decided to make a maple ice cream for our first batch. I combined the maple syrup, cream, and egg yolks in a large metal bowl. That bowl was used as the top of a double-boiler. Whisked it constantly over a medium low heat until it congealed into custard. Placed my custard in a glass container and stored it in the refrigerator overnight.

The next day, I set up our ice cream attachment. Slowly poured the custard into the container … the instructions say ice cream should be formed in 10-15 minutes. It didn’t. Let it run a little over twenty minutes and … nothing even close to ice cream. I put my custard back into its container in the refrigerator, washed the bowl, and asked Google what I’ve done wrong. Turns out the ice cream bowl needs to be frozen absolutely solid – shake it as you remove it from the freezer, it shouldn’t be even a little bit sloshy. Oops. Mine was mostly frozen, but that’s not good enough. So I put the bowl into a dedicated freezer and left it there for 12 hours. Completely solid. I put the bowl back into the freezer and moved the custard into the freezer for an hour too – the colder the custard is, the less it will heat the bowl materials.

So, do this all over again. Get custard and bowl, set up mixer, mix … and it started to harden. I could see the liquid along the side of the bowl freeze and get scraped off. Twelve minutes later, we had a fairly thick frozen base. I transferred the proto-ice cream into a low pyrex bowl, closed it up, and put the bowl into our freezer. About eight hours later, it was Survivor premier / ice cream time. First bite and … what’s that strange grainy texture? Looked it up and everyone is talking about ice crystals. These aren’t ice crystals … it’s just an odd little hard lump.

We were about halfway through the bowl when Scott got a big odd hard lump. It was BUTTER. Frozen butter, but still butter. I’m guessing you cannot re-use custard. If your first attempt at making ice cream doesn’t work … maybe you could re-strain it to remove any little butter bits. Or if it isn’t starting to freeze after five minutes, you know something isn’t right and don’t let it mix long enough to turn into butter. But, this wasn’t the stunning success for which I was hoping.

Next up is a coconut milk / coconut cream / mango ice cream. Hopefully that will turn out better.

Cultural Appropriation

There’s a lot of talk about the evils of cultural appropriation that I think miss the real issue. No one objects to the cultural exchange where everyone worldwide wearing denim jeans and eating a burger at McDonalds (OK, people object to the global takeover of American ‘fast food’ but that’s more of health objection to the high-calorie/low-nutrient lifestyle the restaurant style represents.). Cultural appropriation is only ‘bad’ to garner sympathy for the source.

There’s something to be said for enjoying aspects of another culture. Experiencing other cultures teaches us about other groups. It’s important not to conflate appropriated cultural elements with the culture as a whole — wearing lederhosen does not impart a deep knowledge of Bavarian culture — so as to avoid stereotyping the culture into just those appropriated elements.

There are certainly problems associated with cultural appropriation — you can appropriate cultural elements but remain prejudice against the culture itself, you can disrespect cultural elements being appropriated, and objecting to cultural appropriation serves as a proxy for actually doing something to help groups being harmed or diminished in modern society.

Trump symbolizes the first problem to me — loudly proclaims that Mexicans in this country are a bunch of thugs, rapists … hold on a sec, let me chow down on this burrito … and drug dealers. And, really, my objection isn’t the guy eating a burrito. It’s the vitriol being spewed about the culture. Cultural appropriation is a red herring in this case.

When appropriated culture subversively or disrespectfully — especially cultural components with a deep religious meaning that is ignored. Satanists with crosses, a teen listening to rap because it anger their parents … and there’s a difference between experiencing/enjoying and mocking. At that, there are different types of mocking. I have a set of espresso cups that are done in the style of traditional English willow patterns but using industrialized areas instead of natural subjects. Irony is a form of mockery – albeit self-mockery since the manufacturer, artist, and I are all part of the ultra-industrialized Western civilization. When objecting to the appropriation of religious symbolism by a particular culture, say a non-Rasta wearing dreadlocks, the objection should be universal. A German non-Rasta, a Egyptian non-Rasta, a Sudanese non-Rasta, hell a Jamaican non-Rasta should all receive the same criticism.

Leaving aside insult to religious symbols and adoption of style to create offense, kids are boycotting food service at Uni over the inclusion of sushi in the menu!? The person who taught me to make sushi was a white guy from Connecticut – a fact that in no way diminishes either Japanese culture or the sushi we produced. It’s as if appreciation of arts, foods, and style have become a proxy war for opposing real harms against groups. Many groups of people were enslaved around the world. That sucks, but some white person wearing or not wearing dreadlocks isn’t going to change history any more than it will change the more subtle slights against now-freed races. Muslims have been persecuted (not just in recent years, ‘retaking the Iberian peninsula from the Moors’ or the Crusades weren’t exactly cross-cultural love fests), but refusing to eat a falafel isn’t going to change that. And sushi … yes, the American government imprisoned Japanese Americans during WW2 (I assume ‘for their own good’), but only allowing someone of Japanese descent to layer slices of fish on rice isn’t going to change it.

People want to do something – sometimes for a historically wronged culture, sometimes for a currently harmed culture – without actually doing something hard or admitting the limits of their personal influence. Instead of taking real action to work against racism or to support under-served communities (join an organization, volunteer somewhere, send money somewhere) … we attack people who are enjoying components of the culture. What I find most ironic is that every organisation to promote cross-cultural understanding in which I’ve ever participated has encouraged cultural appropriation. A Turkish American organization that held cooking classes. A Greek American association teaching art, a Native American society teaching traditional dying and weaving methods, an African American organization teaching dance. Which makes me wonder if the cultures in question even object to the appropriation. Certainly, in some cases … where they are significantly losing out on the bargain. Rock and roll comes to mind as a prime example there. But as a general rule, are indigenous Aussies offended that we’re winging boomerangs around in a park?

That being said, why do we have to move dates around? I’m used to American Oktoberfest celebrations being in October (sounds the same, must be right?) although the actual event in Munich starts in September and can run into the first few days of October. There’s a Hindu celebration, Holi … there are several stories behind the celebration, but it is a SPRING celebration. That starts on 12 March this year.

Since that date is coming up, I wanted to find a local kid-friendly Holi celebration … and found a local kids-allowed festival is in September. There are, it seems, many “Festival of Colours” celebrations across the US and a handful actually occur in Spring. We’ll probably still go … never refused to drink a nice eisbock just because it was mid-October either 🙂