Author: Lisa

Alternative Fact: Trade Wars

Alternative Fact (from Trump’s Twitter @ dark-o-clock today): “When a country (USA) is losing many billions of dollars on trade with virtually every country it does business with, trade wars are good, and easy to win. Example, when we are down $100 billion with a certain country and they get cute, don’t trade anymore-we win big. It’s easy!”


Real fact: Not buying a billion dollars of stuff from country X does not mean said “stuff” will now be produced domestically (assuming the domestic capacity and raw materials to produce the “stuff” exist). It may well mean we’re paying for a few cents more (bad for people with limited income streams) to source the “stuff” from country Y (until Trump sufficiently offends them too and we have to move on to country Z at yet another slight cost increase).

Retaliatory actions significantly reduce American exports too (see: Bush 2’s steel tariff a year or so into his presidency). So maybe you’ve managed to reduce the trade deficit with country X. You’ve increased the overall trade deficit twofold: we’re paying more for our imported “stuff” AND the targeted countries (and possibly non-targeted countries) are buying less from us.

Now theoretically slapping wide-spread tariffs on everything sourced from everywhere would be an easy trade war to win – assuming you want to restrict your country to domestic markets (again, retaliatory action). I expect that means domestic corporations with international operations would spin off international divisions. An ugly mess … and probably why the stock market reacted so poorly yesterday.

Bonus real fact: China isn’t our biggest trading partner for steel or aluminium. That would be Canada. And the EU. Both of whom, I must assume, will object to the tariffs (again, see Bush 2 in 2002)

Let the war begin

One thing I respected about the first President Bush was that he didn’t attempt to secure re-election by re-invading Iraq. The 1990-1991 invasion of Iraq led to significant jumps in Bush’s approval rating — 15% at the onset and 20% when we “won”. And a surge of nationalism (and the “don’t change horses mid race” thinking that certainly helped his son’s re-election bid) that accompanies military action may well have allowed him to win in 1992.

George W didn’t have terrible approval ratings at the onset of his presidency – his approval number was over 50% just before 9/11. But his approval rating hit near 90% in the immediate aftermath.

Which brings me to Trump. Someone who loves glowing praise. And who kicked off a new round of trade wars with tariffs on steel and aluminium which may allow some increased domestic production, but is more apt to make everything that uses steel or aluminium more expensive. Or maybe it make more sense to make parts in Canada and truck the bits South. Or maybe finished products crossing the ocean become cost competitive. And that doesn’t even address adverse response from trading partners.

If the guy was sufficiently delusional to believe it was possible for any president to receive a surfeit of adoration, and by his own admission he’s not into fomenting new wars (+he has some existing wars in which to drop huge bombs +the general population has had more than enough warring to last a few lifetimes) … is it possible this is a self-aggrandizing trade war?

Project Stack – 2018

Anya’s Sleeping Bag – this is assembled and I am slowly quilting the bag. Very, very slowly 🙂

Warm Fuzzy Slippers – Two of three sets have been assembled sans the rubber bottom. Next up – making a larger husband-foot sized pattern

Holiday Circle Skirts – We have Halloween, Easter, and birthday skirts. I am still working on St Patrick’s and Independence Day.

Bed – a new project to make a bed/desk for Anya’s room

T-shirt embroidery – finished quite a few, but I’d like to get a few more size 5/6 shirts finished.

Bed for Anya

It’s about time to get a bigger bed for Anya. And a desk. She doesn’t have a particularly small bedroom, but one wall is eight foot of sliding glass door and another is fifteen and a half feet of closet / raised hearth / doorway. The third wall has four foot of doorway, where you stand to access her closet, and the remaining three feet house a bookshelf and her fish tank. This configuration greatly restricts the space available for beds and desks. Unfortunately most loft beds with desks underneath aren’t attractive to me. Then a random image in Pinterest had this desk/bed combo — storage under the desk platform and a hide-away under the bed platform.

I’m working out reasonable dimensions for the unit and hope to make one this spring.

Pieced Rainbow Circle Skirt

I am finally making the pieced circle skirt my mom had found a few years ago. I’d worked out the proper dimensions and created a pattern to make an Anya-sized circle: t uses fifteen different cotton solid fat quarters. I purchased the fabric in half-yard cut, then cut each piece into a fat quarter so mom and I can make skirts for both Aisha and Anya.

I was hesitant to make the skirt until I was more adept with my serger. After making a Peppermint Swirl Dress, I felt a lot more confident serging these curved pieces.

The pattern pieces did not include a seam allowance; the allowance was added on the fabric. I also traced the pattern piece itself, then serged the pieces together with the needle farthest from the blade along the pattern piece’s line.

I assembled the circles instead of making wedges.

The concentric rings matched up well (Whew! That was a big relief … I was worried that I’d end up with a wonky misaligned mess).

I cut strips of each colour for the waistband and attached them individually to the color-matching circle to ensure the corners lined up. Once each piece was in place, I connected the different colors together. The bottom hem needs to be turned up and stitched, but I’ve got a gradient rainbow circle skirt!


Live Fire Exercises

Arm the teachers, they say. The best way to stop a bad guy with a gun is a good guy with a gun, they say. There’s some derision to this plan because of the logistical and financial challenges. Unless Glock, Sig, and H&K are donating handguns, are we really going to pay to arm teachers when we won’t pay for [tissues | pencils | paper | all of the other classroom supplies teachers are self-funding]? Are the local police ranges going to be open for these individuals? Are Cor-Bon donating thirty million rounds of ammo a month (Think I’m joking? That’s LOW. There are some 100,000 public schools in the US. One armed dude isn’t going to help – what if he’s sick that day? Three per school is a low average. Say hundred bullets a month [most people I know who regularly train with firearms shoot at least fifty rounds a week]. 100,000 * 3 * 100 = 30,000,000 bullets.) But that’s the least of my concerns.

Trump stresses that these are well trained individuals. Trained how?!? A gun for home defense is a fairly controlled situation with a small number of well known ‘good guys’. Make sure you know where the spouse & kids are taking cover, and teach them to STAY STILL. While it’s more difficult to hit a moving target than a stationary one, range time is good practice. In a school hallway, where the teacher knows maybe a quarter of the students well … which one is the short-ish guy in a gray hoodie? And what happens when, amid the chaos, some innocent (panicking) kid runs into the path of a teacher’s bullet? Or the local kid who shut down the High School a few days ago with a toy gun (bright orange tip and everything) gets terminated to ‘save’ the rest of the students (and, yeah, totally dumb move taking a toy gun into school … but probably not something for which anyone deserves to die). What happens when these good guys with guns realize it’s hard to shoot another human being.

Unless this training includes hours of live fire exercises every month, “training” not going to help. But it does let politicians claim to have done something. And it does provide a convenient scapegoat for future school shootings — because public discourse shall not say “well, obviously a good guy with a gun isn’t helpful” but rather “what flaw in these people had them fail in saving the day?”

WebLogic LDAP Authentication

Configuring an LDAP Authentication provider in WebLogic (version 11g used in this documentation)

  • In configuring LDAP authentication, I add a new authentication provider but continue to use the local provider for the system account under which WebLogic is launched. Partially because I don’t really use WebLogic (there’s an Oracle app with its own management site that runs within WebLogic – very small number of users, so our configuration is in no way optimized), but partially because using a network-sourced system account can prevent your WebLogic instance from launching. If your config isn’t right, or if the network is down, or a firewall gets in the way, or the LDAP server is down …. Your WebLogic fails to launch because its system ID is not validated.

WebLogic Configuration

Lock & Edit the site so we can make changes. On the left-hand pane, scroll down & find Security Realms

Go into your realm, select the “providers” tab. Supply a name for the provider (I included “LDAP” in the name to ensure it was clear which provider this was – may even want to specify something like “CompanyXLDAPAuthProvider”)

Select type “LDAPAuthenticator” for generic LDAP (I was using Sun DSEE, and moved to Oracle OUD without changing the authenticator type). Click OK to create.

Change the control flag on your default authenticator. Click the hyperlink for the default provider. On the “Common” tab, change the “Control Flag” to “SUFFICIENT” and save.

Click the hyperlink for the newly created provider. On the “Common” tab, change the “Control Flag” to “SUFFICIENT” and save.

Select the “Provider specific” tab.


Host:     <your LDAP server>

Port:      636

Principal:             <Your system account, provided when you request access to the LDAP directory>

Credentials:        <Your system account password>

Confirm Credentials:       <same as credentials>

SSLEnabled:        Check this box (for testing purposes, i.e. if you are unable to connect with these instructions as provided, you can set the port to 389 and not check this box to help with troubleshooting the problem. But production authentication needs to be done over SSL)


User Base DN:    <get this from your LDAP admin. Ours is “ou=people,o=CompanyX”)

All User Filter:    (&(objectClass=inetOrgPerson))

For applications with a single group restricting valid users, you can use the filter: (&(objectClass=inetOrgPerson)(isMemberOf=cn=GroupNameHere,ou=groups,o=CompanyX))

Users from name filter:  (&(uid=%u)(objectClass=inetOrgPerson))

User Search Type:                           subtree (onelevel may be fine, but verify with your LDAP administrator)

User Name Attribute:                     uid

User Object Class:                           inetOrgPerson

Use Retrieved User Name as Principal – I didn’t select this, don’t really know what it does


Group Base DN:               <another one to get from your LDAP admin. Ours is “ou=groups,o=CompanyX”>

All Groups Filter:              (&(objectClass=groupOfUniqueNames))

If your group names all have the same prefix, you could limit “all” groups to just your groups with a filter like (&(objectClass=groupOfUniqueNames)(cn=MyApp*))

Group from name filter: (&(cn=%g)(objectclass=groupofuniquenames))

Group search scope:                      subtree (again, onelevel may be fine)

Group membership searching:    <We select ‘limited’ because there are no nested groups in the LDAP directories. If you need to resolve nested group memberships, this and the next value will be different>

Max group membership search level:      0

Ignore duplicate membership:     Doesn’t really matter as we don’t have duplicates. I left this unchecked.

Static groups

Static group Attribute name:       cn

Static group Object Class:             groupOfUniqueNames

Static Member DN Attribute:       uniqueMember

Static Group DNs from Member filter:     (&(uniquemember=%M)(objectclass=groupofuniquenames))

Dynamic Groups              this section is left blank/defaults as we don’t use dynamic groups


Connection Pool Size:     Ideal value dependent on your anticipated application load – default of 6 is a good place to start.

Connect timeout:             Default is 0. I don’t know if this is something particular to WebLogic, but I generally use a 15 or 30 second timeout. If the server hasn’t responded in that period, it is not going to respond and there’s no need to hang the thread waiting.

Connection Retry Limit: Default is 1, this should be sufficient but if you see a lot of connection errors, either increase the connect timeout or increase this retry limit

Parallel Connect Delay:  0 (default) is fine

Result time limit:              0 (default) is OK. On my the LDAP server, there is no time limit for searches. Since WebLogic is making very simple searches, you could put a limit in here to retry any search that takes abnormally long

Keep Alive Enabled:         Please do not enable keep alive unless you have a specific need for it. Bringing up a new session uses slightly more time/resources on your app server than re-using an existing connection but that keep alive is a LOT of extra “hey, I’m still here” pings against the LDAP servers

Follow Referrals:              Un-check this box unless your LDAP admin tells you referrals are in use and should be followed.

Bind Anonymously on referrals:  Leave unchecked if you are not following referrals. If referrals are used and followed – ask the LDAP admin how to bind

Propagate cause for logon exception:      I check this box because I *want* the ugly LDAP error code that explains why the logon failed (49 == bad user/password pair; 19 == account locked out). But no *need* to check the box

Cache Related Settings:  This is something that would require more knowledge of WebLogic than I have 😊

If you enable caching, you may not see changes for whatever delta-time is the cache duration. So, the defaults of enabling cache & retaining it for 60 seconds wouldn’t really create a problem. If you set the cache duration to one day (a silly setting to make the problem cache can create clear) …. If I logged into your application at 2PM, did a whole bunch of work, went home, came back the next morning & saw my “your password is about to expire” warning … so go out to the password portal and change my password. Reboot, get logged back into my computer …. and try to access your application, I will get told my password is invalid. I could try again, even type what I *know* is my password into notepad & paste it into your app … still not able to log on. My old password, were I to try it, would work … but otherwise I’d have to wait until after 2PM before my new password would work.

Group membership changes could be a problem too – with the same 24 hour cache, if I am a valid user of your application who signs in at 2PM today, but my job function changes tomorrow morning & my access is revoked … I will still have application access until the cache expires. I am not sure if WebLogic does negative caching – basically if I am *not* a user, try to sign in and cannot because I lack the group membership & get an access request approved *really quickly* to become a group member, I may still be unable to access the application until the “Lisa is not a member of group XYZ” cache expires. If WebLogic does not do negative caching, then this scenario is not an issue.

So you might be able to lower utilization on your app server & my LDAP server by enabling cache (if your app, for instance, re-auths the object **each time the user changes pages** or something, then caching would be good). If you are just checking authentication and authorization on logon … probably not going to do much to lower utilization. But certainly keep the cache TTL low (like minutes, not days).

GUID Attribute:  nsUniqueID

Establishing The SSL Trust

For encryption to be negotiated with the LDAP servers, you need to have a keystore that includes the public keys from the CA used to sign the LDAP server cert. Obtain the base 64 encoded public keys either from the PKI admin or the LDAP admin. Place these file(s) on your server – I use the /tmp/ directory since they are no longer needed after import.

From the domain structure section, select: Environment=>Servers and select your server. On the “Configuration” tab, click the keystores sub-tab. If you are not already using a custom trust, you need to change they keystore type to use a custom trust (and specify a filename in a path to which the WebLogic account has access – keystore type is JKS and the password is whatever you are going to make the keystore password). If you *are* already using a custom trust, just record the file name of the custom trust keystore.

Use keytool to import the CA keys to the file specified in the custom trust. The following examples use a root and signing CA from my company, the CA chain which signs our LDAP SSL certs.

./keytool -import -v -trustcacerts -alias WIN-ROOT -file /tmp/WIN-ROOT-CA.b64 -keystore /path/to/the/TrustFile.jks -keypass YourKeystorePassword -storepass YourKeystorePassword

./keytool -import -v -trustcacerts -alias WIN-WEB -file /tmp/WIN-WEB-CA.b64 -keystore /path/to/the/TrustFile.jks -keypass YourKeystorePassword -storepass YourKeystorePassword

*** Under advanced, I had to check off “Use JSSE SSL” for SSL to work. Without that checked off, I got the following error in the log:

####<Feb 23, 2018 10:11:36 AM EST> <Notice> <Security> <> <AdminServer> <[ACTIVE] ExecuteThread: ’12’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <58b1979606d98df5:292a2ff6:161c336d0ba:-8000-0000000000000007> <1519398696289> <BEA-090898> <Ignoring the trusted CA certificate “CN=WIN-WEB-CA,DC=CompanyX,DC=com”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

####<Feb 23, 2018 10:11:36 AM EST> <Notice> <Security> <> <AdminServer> <[ACTIVE] ExecuteThread: ’12’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <58b1979606d98df5:292a2ff6:161c336d0ba:-8000-0000000000000007> <1519398696289> <BEA-090898> <Ignoring the trusted CA certificate “CN=WIN-Root-CA”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

An alternate solution would be to update your WebLogic instance – there are supposedly patches, but not sure which rev and it wasn’t worth trial-and-erroring WebLogic patches for my one WebLogic instance with a dozen users.

Whew, now save those changes. Activate changes & you will probably need to restart your WebLogic service to have the changes go into effect. You can go into the roles & add LDAP groups as — specifically, I added our LDAP group’s CN to the administrators WebLogic role.

Actual Data – On What Is SNAP Money Spent?

Turns out there is actual data (not complete, as it does not account for non-SNAP cash purchases … but how many people pay cash at the grocery store?) regarding what groceries people buy with SNAP and what groceries they buy otherwise. Here.

And I get the compassionate argument that I shouldn’t dictate what someone can and cannot purchase just because they happen to have fallen on hard times. That’s a bit like saying you cannot be irked when a friend asks to borrow a couple hundred bucks to make rent and you then encounter the same friend buying a new couture handbag / stereo system / whatever floats their boat. You can! And probably are. Because it’s one thing to blow your own money on whatever you want, it’s quite another to tell me you need help at the same time. So, yeah, I want food bought with SNAP funds to be better than that on which an average American spends their grocery money.

And … kind of surprising … it might be. Either way, #1 is meat/poultry/seafood (not a vegan’s view of healthy, but not guaranteed to be junk food). SNAP folks? #2 is veggies, 3 is cheese, 4 is fruits. Crap starts to show up as #5 (soda and stuff) and 6 (desserts). Frozen prepared foods, 8, are generally unhealthy. For the non-SNAP baskets: soda is #4, frozen prepared foods #4, and prepared desserts #5. Welfare queen stereotype aside, it turns out SNAP recipients do allocate more of their funds to non-junk categories than average American shoppers.

But there’s better and there’s well.  I don’t think it’s right for two billion dollars in tax money to go toward SNAP purchases of sweetened beverages. And another two billion for prepared desserts. That’s eight BILLION dollars in one YEAR toward obvious junk if we concede people believe bottled water, fruit juices, and coffee/tea are essentials. Up to 9.7 billion if those are included as well.

SNAP recipient purchases:

Rank Category $ in millions % of expenditures
1 Meat, Poultry and Seafood $5,016.30 15.92%
2 Vegetables $2,873.90 9.12%
3 High Fat Dairy/Cheese $2,483.20 7.88%
4 Fruits $2,271.20 7.21%
5 Sweetened Beverages $2,238.80 7.10%
6 Prepared Desserts $2,021.20 6.41%
7 Bread and Crackers $1,978.20 6.28%
8 Frozen Prepared Foods $1,592.30 5.05%
9 Milk $1,211.00 3.84%
10 Salty Snacks $969.70 3.08%


Non-SNAP purchases – Top 10:

Rank Category $ in millions % of expenditures
1 Meat, Poultry and Seafood $1,262.90 19.19%
2 Sweetened Beverages $608.70 9.25%
3 Vegetables $473.40 7.19%
4 Frozen Prepared Foods $455.20 6.92%
5 Prepared Desserts $453.80 6.90%
6 High Fat Dairy/Cheese $427.80 6.50%
7 Bread and Crackers $354.90 5.39%
8 Fruits $308.20 4.68%
9 Milk $232.70 3.54%
10 Salty Snacks $225.60 3.43%


Breaking into the data farther, either group’s #1 fruit expenditure? Orange juice. Sigh! #1 vegetable expenditure? Potatoes.