Month: July 2017

Business Practices To Avoid

Don’t ignore your customers. Seems obvious, but failing to engage customers undermines large corporations. I worked for one of Novell’s last big customers back in 2000-2010. We had the misfortune of being in the same territory as their biggest customer, FedEx, so got little sales attention. We were having problems managing computers without using the Active Directory domain — the dynamic local user Zen component that hooked the Novell GINA and created/maintained local user accounts had been used before an NT4 domain even existed within the company. In perusing their web site, I identified a product that perfectly met our needs *and* managed mobile devices (which was an up and coming ‘thing’ at the time). Why, I asked the sales guy, would you not pitch this product to us when we tell you about the challenges we are trying to address? No good answer, but it really was a rhetorical question. There wasn’t a downloadable demo available, you had to engage your sales rep to get a working demo copy — I asked for one, and he said he’d get one to me when he got back to his office.

Nothing. Emailed him a week later in case he just forgot. Oh, yeah, I’ll get that right out to you. A few weeks later, emailed him again. A few weeks later — well, let’s be serious here. We started using Exchange in 2000, and had an Active Directory domain licensed for all users anyway. We were willing to consider paying real money for the Novell product because the migration path was easier … but from a software licensing perspective, switching workstation authentication to AD was a 0$ thing. Needed a few new servers to handle authentication traffic – I think I went with five at about three thousand dollars each. Deployment, now that’s a nightmare. I wrote custom code to re-ACL the user profile directory and modify the registry to link the new user.domain SID to the re-ACL’d old profile directory. It got pushed out via automated software deployment and the failures would call in each morning. Even a 1% failure rate when you’re doing 10,000 computers a week is a lot of phone calls and workstation re-images. (At a subsequent employer, we made the same change but placed workstations into the domain as they were re-imaged for other reasons. New computer, you’re in the domain. Big problems with your OS, you’re in the domain. Eventually we had a couple hundred computers not yet in the domain and the individual users were contacted to schedule a reimage. Much cleaner process.)

The company didn’t last much longer — they purchased SuSE not much later. The sales guys came back – we used RHEL but would have happily bundled our Linux purchases into the big million dollar contract. How much are you looking to charge for updates? Dunno. How much is support? Dunno. Do you know anything about the company’s sales plan for SuSE? Not a thing. Well … glad you could stop by? I guess.

As far as software companies go, this is ancient history. But it’s something I think of a lot when dealing with Microsoft these days. There’s a free mechanism that allows you to use your existing Active Directory to store local workstation admin account passwords. Local workstations manage their own passwords — no two passwords are the same; you can read the individual computer’s password out of AD and provide it to the end user. Expire the computer’s local admin password and next time it communicates with the domain, the password will be changed. Never heard of it from the MS sales guy – someone found LAPS through random web searching. Advanced Group Policy Management that provides auditing and versioning for group policies – not something our MS reps mentioned. Visual Studio Code – yet another find based on random web searching. I know it isn’t the sales guy’s job to tell me about every little bit of free add-on code they have created, but isn’t it in their best interest to ensure that the products that we have become an intrinsic part of our business processes? I tell our SharePoint group that all the time — there are a lot of web based content management platforms. If all you use it for is avoiding web coding … well, I’ve got WordPress that does that. Or some Atlassian wiki thing. And some Jive wiki thing. And some Xerox document repository that has web pages. You need to make something unique to your product intrinsically entwined with business oeprations so no one would ever think of replacing your product.

Soap Fluff Explosion

I made our saboun al ghar inspired soap today. First attempt at hot processing soap, and I had a massive soap explosion. I’d read that your container should be at least three times the volume of soap you are processing. I went with five times in an attempt to stave off a big mess. Blended my pomace olive oil and lye/water/salt mixture to a light trace, and set it over medium heat. It thickened, just like it supposed to. It turned into a gloopy oily mess, just like it supposed to. For future reference — the gloopy oily mess stage is where you want to keep a close eye on it and don’t look away for a minute. I turned back around and saw odd foamy soap stuff pouring out of the pot. Oops!

I scooped the soap fluff off the side of the pot and back into the pot and stirred it down. The fluff quickly turned into a slick substance that did look exactly like petroleum jelly. I added the laurel berry oil, stirred well to incorporate, and let cook for a few more minutes until it looked like petroleum jelly again.

The whole mess was glopped into my large silicon lined wooden soap mold. Now it just needs to set for a while and harden.

24/7 Campaign

How can you be the president of the entire country if you cannot even be the president for the entire military?

The address Trump gave at the commissioning of the USS Gerald Ford may reflect the increasingly long campaign cycle or it may reflect his complete misunderstanding of government (not to mention a complete misunderstanding of how military health care works!). He encouraged (ordered? Not speaking to intent; but as the ostensible head of the military, it would behoove him to use more care in selecting what will be communicated to military personnel) those assembled to “call those senators to make sure you get health care”.

A generous interpretation would be that he isn’t letting an opportunity to push for his legislative agenda pass by – this will be televised, reported … but who stands up at a guy’s retirement party to laud himself and ignore the retiree? Or at a commencement to congratulate yourself … oh, wait. That’d be Trump too. A man seemingly incapable of participating in an event and not making it about himself. Even the generous interpretation is essentially “I’m too self-centered to let your thing be the highlight here”.

But beyond the optics of using the commissioning of a naval vessel as a campaign rally, the ACA does not have a whole lot to do with health care for the active duty military personnel to whom he was ostensibly speaking. TRICARE covers them. It qualifies as insurance under the ACA, so they’re set. Given Trump’s other outright nonsensical ramblings on health care, this in and of itself is telling. Enlisted persons have no more need to lobby for whatever ACA replacement is currently on the table than members of Congress. It’s not going to fuck up their coverage.

Worse, though, the military may report to the president like employees report to the CEO … but it isn’t like we changed out the military for a Republican one in January. They may fight to defend the country, but they are not obligated to support the legislative initiatives of the current administration. From his speech at the CIA Memorial Wall bemoaning how unfairly the press treats him — imagine a similar topic being delivered in front of the Vietnam Veterans Memorial Wall — to this most recent address, Trump seems ignorant of the fact there are liberal government employees and military staff. There are Libertarians. Red scare McCarthyism aside, there are probably socialists too. Point being — there were people in the audience who do not want either of the current Congressional health care plans to pass (given it’s approval rating, the majority of the crowd may even feel that way!) and how insulting is it that the speaker would co-opt what was meant to be a naval celebration to rally support for something to which you object?!

Different when it’s your own

People are forever saying situations are different when it is your own kid, but I’m starting to apply that logic to special [council | prosecutor] investigations. Kelly Anne Conway, on Fox News Friday: “Let’s go back to what the purpose of the investigation was: Russian interference in our election. Where is this going and are Americans comfortable with that — with the taxpayers funding this, with this going off all types of chutes and ladders?”

Hello? What was the point of Ken Starr’s investigation? Some real estate investments. What does that have to do with extra-marital affairs? Well, it’s where the investigation led. And laundering Russian money is where the investigation into Russian support of the Trump campaign leads.

Talking About Adoptions

The fact that seems to be missing from reporting on Trump Jr’s meeting and Trump Sr’s unadvertised meeting with Putin where they “talked about adoptions” is that the 2012 Russian restriction on adoptions was retaliation for the US passing the “Russia and Moldova Jackson-Vanik Repeal and Sergei Magnitsky Rule of Law Accountability Act of 2012”. The American law barred eighteen specific Russians from entering the US *and* froze their American holdings.

There’s no talking about adoptions without also talking the sanctions. It isn’t like the Russians were offering to unilaterally remove the adoption ban. “Talking about adoptions” is essentially a euphemism for discussing the removal of sanctions against a bunch of super wealthy Russians who are probably well-connected to Putin.

Setting Up A New Email Domain – With SenderID and DK/DKIM TXT Records

If you are going to begin using e-mail on a sub-domain of an existing zone, you do not need to do anything special to register the sub-domain. If this is a new domain, it needs to be publicly registered first. The examples used here-in will be a mail domain subordinate to windstream.com. If you are performing the tasks for a new zone, create the new zone first.

To allow e-mail exchange with a domain, create MX record(s). For a third party vendor, they need to tell you what their mail exchangers are. For internally hosted services, use the same assignments and weights from Windstream.com. As of 19 July 2017, those are:

windstream.com  MX preference = 10, mail exchanger = dell903.windstream.com

windstream.com  MX preference = 20, mail exchanger = vml905.windstream.com

windstream.com  MX preference = 110, mail exchanger = neohtwnlx821.windstream.com

Within Infoblox, you need to be using the external DNS view. You can create matching records internally – we tend not to create internal MX records as it prevents internal multi-mailer infections from routing messages. In the proper zone, click Add => Record => MX Record

The mail destination will be the subzone (here we are exchanging e-mail with @ljrtest.windstream.com)

Save this change and create the other MX records. ** You need to clue the servers into the fact this domain is now valid. ** On each server, edit /etc/mail/access and add

Ljrtest.windstream.com  RELAY

If you want to use the virtusertable to map addresses within the domain, you also need to add the domain name to /etc/mail/virtuser-domain

Finally, you need to send the mail somewhere. Edit /etc/mail/mailertable and set a relay destination of somewhere that knows about the domain and is processing mail for it (is that our Exchange server? Someone else’s Unix server? An acquired company’s mail server? … depends on what you are trying to do!)

rushworth.us    relay:[10.5.5.85]

Save, make, and restart sendmail … now you have a fully functional external email domain.

Now secure it – that means adding sender policy framework (SPF), domain key (DK), and domain key identified mail (DKIM) records.

SPF and SenderID Records

There are both sender policy framework (v1) and SenderID (v2) records – you can create both. Not too many people use SenderID anymore, but I invariably end up finding the one guy who is evaluating mail validity purely on SenderID when I create just the SPFv1 record.

In InfoBlox, select Add => Record => TXT record. The mail destination from the MX record needs to be put in the “Name” field. Then the text value – what is that?

Quick answer is it depends. A SPF record lists all mail servers that should be sending e-mail for a domain. Is that just our MX servers? The MX servers plus the netblocks for the internal relays? Some third-party vendor?

Our MX servers and a few netblocks would be:

SPF V1: “v=spf1 mx ip4:166.150.191.128/26 ip4:98.17.202.0/23 ip4:173.186.244.0/23 ip4:65.114.230.67/32 ip4:64.196.161.5/32 ?all”

SPF V2: “spf2.0/pra mx ip4:166.150.191.128/26 ip4:98.17.202.0/23 ip4:173.186.244.0/23 ip4:65.114.230.67/32 ip4:64.196.161.5/32 ?all”

If there is a third-party vendor, they may provide an include statement for our SPF record – this is a way of referencing an external company’s SPF record within your own. You’ll see “include:mktomail.com” in our SPF records where Marketo sends mail on our behalf.

The final bit – we use ?all which means these may not be all of the servers sending mail on our behalf – we are not making an assertion beyond saying the listed sources are good. You may see vendors requesting “~all” which is a soft fail — still allows mail to pass if the sender does not match the list. The strictest is “-all” which fails mail coming from any source not in the list.

Does it matter? Depends – if a recipient has configured their mail servers to reject mail based on SPF and you use -all … mail from servers not on the list will be rejected. Not a lot of companies are thusly configured, though … so there’s not a whole lot of effective difference.

The final step is to test the SPF record. The easiest way to do so is an online SPF test site like http://tools.bevhost.com/spf/

I usually test both a host on the list and one not. The ones on the list will pass. The ones not on the list may fail (with -all) or report as neutral (?all).

DK/DKIM Records

DK and DKIM are public/private key based header signatures that assure the validity of the e-mail sender. The first thing you will need is a public/private key pair – these do not have to be trusted keys from a public certificate authority. A vendor or another internal group may provide their own public key for inclusion in our DNS record. Do not provide our private key to anyone else – keys are free, and if they are unable to generate one of their own, make one for them!

You can use openssl (openssl genrsa -out dkimkey.private 1024 followed by openssl rsa -in dkimkey.private -out dkimkey.public -pubout -outform PEM), an online generator, or the Web CA server. Once you have a key pair, you need a selector. This is because different mail servers may send mail for a domain whilst using unique private keys to sign the messages. The selector can be anything – the selector name is configured in the mail server. It is visible in the mail headers and mail logs, so don’t elect to use anything rude. Stash the private key on your mail server (or provide it to the mail server owner) and put the public key in a DNS TXT record “selectorname._domainkey.sub.domain.gTLD”. The k= indicates the key type (rsa in the openssl example), you can indicate signatures are being tested “t=y” if desired, and then paste the bits between —-BEGIN PUBLIC KEY—- and —-END PUBLIC KEY—- into the p= part.

k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0s07391Axpsi/G0PTsO1 io1LOXSZ0bWAku4bgJ//swZj8OlFvDo59n9qC2Wsd21afI3si/PdDoDP69HNdgAT tIPaK6J0UqcCo9RNSiM3uA+GngdgTupwE2KrKn9/WQbC0tDA8e64e0HBHXwcF/ru OF+18LvpoA/cu1TFUNk0z+GSvqQ4L79k+gZWALvJL7kvCMIu3Gy8ZJpNerRSdrYH l/Nvg87dlZ+9yRI33IwNYpVl1UIrd6qLnGgM1xDMF+Sn21Obd06FOkV5ObXqKBPv 7gMhsUOPu8cIWK7wrd143wH5sWWX1VCBhhIEv1GFp6+SotvZayH5fQ/ri+BjWYzf PwIDAQAB

You should have an author domain signing practices record (_adsp._domainkey.sub.domain.gTLD) – this tells recipients what to do if a message is not signed. The content is “dkim=all” when all mail from the domain is signed. If all mail is signed and anything not signed should be dumped, then the content is “dkim=discardable”. This does not ensure that unsigned messages are discarded – that decision is up to the individual mail recipient configurations. To make no assertion, use “dkim=unknown”.

You should also have a _domainkey.sub.domain.gTLD record – you can include “t=y” when you are testing – this instructs recipients to treat signed and unsigned mail no differently. You can include notes (n=), a responsible party for the domain (r=). The important one is o= … “o=-“ means all mail from the domain should be signed, “o=~” means some mail from the domain may be unsigned.

Then test the records – you can send a message to autorespond+dkim@dk.elandsys.com and receive back a very detailed report on the DKIM validation, or you can use a web-based validation tool that checks only the DNS components.

On Corporate Tax Rates

Sean Spicer, at his non-televised press briefing yesterday, seems to ignore the same basic fundamental of corporate tax calculations: “I’ve talked to several CEOs and business leaders in the past couple of weeks about tax reform, and it’s amazing how many of them tell you that they pay the 35 percent rate. And you say to them, what will you do if that rate drops? And the number-one thing they talk about is they’re going to invest and build more in their company. And I think that’s what we need to do.”

This tells me exactly what the current administration wants from corporate tax reform — not something that would help small businesses. They want to help enormous corporations that actually benefit from lowering the top level US corporate tax rate. Companies sheltering money overseas or investing overseas.

Bar Codes

I realized, recently, that my experience in manufacturing inventory management systems is actually useful for smaller craft businesses. Someone inquired about using bar codes in their soap making business. The first question is why are you using bar codes. For personal use (like inventory management) or codes used by outside parties? Or both — you can have both internal maintained inventory management bar codes and a UPC maintained code for finished products.

If you are trying to sell products in a store that uses laser scanners for checkout, then you need to use a system with managed number assignment. Otherwise two companies could randomly assign the same code to a product — you ring up a bar of soap and get charged for a hundred dollar handbag. What that system *is* depends on where the product would be sold (and, to some extent, what the product *is* — books use an ISBN system). UPC in the US (https://www.gs1us.org), EAN in the EU (https://www.gs1uk.org). The price to use these codes depends on how many unique products you have (https://www.gs1us.org/upcs-barcodes-prefixes/get-started-guide/1-get-a-gs1-us-issued-company-prefix). Up to 10 codes for a 250$ initial fee plus 50$ annual renewal. Up to 100 codes is a 750$ initial fee plus 150$ annual renewal. Up to 1,000 codes is 2,500$ initial fee plus 500$ annual renewal. The price tiers are economical for companies that do not have variants of a single product (different sizes, different colours) because multiple codes are not used for essentially the same product.

I’ve only worked with companies that manufacture single variations of a product. In small craft manufacturing, the number of codes you need can get out of control. Using registered bar codes creates a financial incentive for streamlining product offerings — you could package your bath bombs individually, in two packs, three packs, four packs … ten packs *but* that uses nine different UPC codes! Add a pot of lip balm, a tube of lip balm, a guest bar of soap, and a full size bar of soap and the the renewal fee triples. Some small vendors will accept a single code for same-price items (“4 oz soap bar” or “bath bombs, four pack”), but larger vendors require a unique code for each unique iteration of the product because they manage their inventory through UPC codes. You need to understand who will be using the codes and what their requirements are before you can determine how many codes you need to purchase.

Does purchasing a single UPC through a reseller make sense? Again, the individual retailer requirements need to be checked — some companies require the company prefix be registered to the manufacturer (i.e. you cannot use a reseller to purchase a single UPC code). Assuming your intended customer allows resold codes, the cost effectiveness depends on how many products and for how long you want to maintain your codes. The reseller structure is good for someone test-marketing in a retail store – if the market test does not pan out, you are out ten bucks (current price from a quick Google search). Even long term, a single UPC reseller is cost effective for up to five products. If you have nine products, you save money registering with GS1 in the third year. Seven products breaks even after five years. Six products breaks even after ten years. But verify the services offered by the reseller — how do you update your product registration?

Printing the bar codes is fairly trivial — there are UPC and EAN fonts available. Some are free, some cost money. You type the proper characters (I prefer fonts where ‘9’ on my keyboard is the 9 bar code. A lot of free fonts are mapped oddly – like you need to type ‘c’ to get a 9) and change the font. I also prefer fonts with human-readable characters under the bar code. Firstly this confirms I’ve typed the proper thing, but it also allows for manual code entry in case the bar code gets obscured. You can print the code on your product wrapping, or include the code in your packaging design and outsource package production.

Could you use the UPC/EAN codes for inventory management? Sure — raw materials you purchase may already have a unique code assigned. Scan the bar code, enter the quantity … voila. But if you are purchasing raw materials that are not already coded … there’s no reason to spend money on a prefix that allows you to code all of your inventory! UPC prefix assignments are a little bit like network blocks — there are different “size” blocks that allow different numbers of products to be registered. A prefix block that allows up to 10 products costs a lot less than a prefix block that allows ten thousand products. If you grow a bunch of different botanicals in your garden, allocating a registered code to each item could get quite costly.

As an inventory management system (the majority of my barcode experience), you can use whatever format bar code and whatever numbering system you like. The number doesn’t need to mean anything to anyone else – and it does not need to be globaly unique – so the entire process is a lot easier. If the manufacturing company next door uses your code for resistance wire for their quart bottles … who cares. As long as you have a database that indicates that item 72 is magnesium oxide powder, people scanning inventory against your database will see magnesium oxide powder.

For printing bar codes, there are fonts available for free online. I’ve used code 39 in the inventory systems I’ve built out – to print the code, just type the numbers and change the font. We used sheets of sticky labels & printed the barcodes onto them – then stuck the label on the raw material bins. Work orders printed out on a form and had a sticky label for the product(s) being built. Scanning the product bar code brought up a list of materials that needed to be used and pull up the engineering draft for the product. Employees scanned raw materials out of inventory as they pulled parts, built the item, then affixed the label from the work order to finished product to scan the completed item into inventory. All of the number assignments were internal – generally using whatever manufacturing software the company already maintained, but I’ve done it in custom code with a PHP front end and MySQL backend too. You need a form for adding to inventory and a form for removing from inventory. Scan the bar code to input the item number, enter the amount being used, submit. You could even maintain your purchase orders and recipes as a batch of inputs — receive an order and check everything contained there-in into inventory. Select a specific recipe and check set amounts of ingredients out of inventory.

I generally also create a reconciliation form — similar to how stores will go through and do manual inventory counts to true-up their database inventory with reality, a reconciliation form allows you to update the inventory database with the actual amount on hand. Personally, I store deltas from true-up operations too — if we should have fifty ounces of shea butter but only have forty seven because of over-measuring or small bits left on scoops, we want to know that there was a loss of three ounces. Once you know your inventory deltas, then you can include that loss into the cost of goods produced.

Why would you want to put so much effort into tracking your inventory? I see a lot of people asking how someone calculates costs for finished products. Calculating cost is fairly easy if you track your inventory in and out (costs not associated with inventory [your time, electricity, space, taxes] still need to be accommodated). In the inventory database, you have an item number, a quantity, and a price per unit value. As inventory is checked in, the price per unit is adjusted to include the incoming items. A recipe — specific amounts of different items — can be represented as a cost. You can also track material cost over time (trend the price of an ingredient, see if there’s a better time to buy it) or compare costs for product reformulation – takes additional database space and a little extra coding, but it is good information to manage costs.

How to reflect shipping costs on incoming inventory is a personal decision. The easiest way is to divide the cost equally over the items – this works well for flat-rate shipped orders. You could also divide the shipping cost over the weight of the shipment — 10 dollars in shipping over forty pounds of materials is twenty-five cents per pound. Then a three pound item cost seventy-five cents in shipping. A ten pound item is 2.50$ to ship.

The question was specifically asked regarding soap making, but the methodology is valid for basically any industry or home business. Most of my experience was garnered in an electric heater element manufacturer. The approach is viable for recipe-based manufacturing (knitting, crocheting, sewing, soap making) and even non-recipe based manufacturing … you’d just need to pull materials from inventory as you use them.

Alternative Fact: Just Oppo Research

Alternative fact: “Politics is not the nicest business in the world, but it’s very standard where they have information and you take the information.” Trump at a joint press conference with French President Macron in Paris.

Real fact: There is an interesting article on Politico from someone who actually conducted oppo research.  Obtaining private (and anything so sensitive that it needs to be discussed with you instead of your dad’s assistant is somewhat obviously not public record type stuff) information from frenemy nation governments.

When a public investigation in the Ukraine revealed payments to Manford, receiving information from a public investigation … well, using it might be sleazy politics (in that respect, Trump is not wrong … politics is not nice). But buying a computer on sale from a well known retail store isn’t illegal whereas purchasing one for half retail from the back of some guy’s van behind the Tower City is probably going to garner a receiving stolen goods charge.

There was a car theft ring in Pennsylvania that obtained blank titles from Harrisburg. Purchasing a car with a valid title from a used car dealer is not a suspicious circumstance. Victims were out money because the cars were returned to their rightful owners, but they were not charged with a crime because nothing about their scenario seemed suspicious.

The item itself, nor its provenance , are not the only considerations — how suspicious a reasonable person would have been of the circumstances is the distinction between a criminal activity and being a victim of a crime.

Certificate Error On Git

Finally got around to switching my GitLab site over to HTTPS — made an ssl folder in /etc/gitlab and then placed the public/private key pair in that folder. Files named with the external URL hostname with a key and crt suffix (gitlab.rushworth.us.crt and gitlab.rushworth.us.key in my case). Then in gitlab.rb, I changed the external_url to an https:// prefix. Voila, a secure GitLab server.

Oops – forgot about the client. Adding the secure site as the remote, I get “unable to get local issuer certificate” on the git client. Since I used a CA signed certificate, I just had to put the CA public key into git’s ca bundle. If you use a self-signed certificate, I believe the certificate public key would need to be used.

Where is git’s CA bundle? Ask git:

C:\Program Files\Git\bin>git config –list
core.symlinks=false
core.autocrlf=true
core.fscache=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
help.format=html
rebase.autosquash=true
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean — %f
filter.lfs.smudge=git-lfs smudge — %f
filter.lfs.required=true
filter.lfs.process=git-lfs filter-process
credential.helper=manager
http.sslverify=true

Edit that file with something that understands Unix new line characters and paste your CA public key at the end of the file.