Month: February 2018

Project Stack – 2018

Anya’s Sleeping Bag – this is assembled and I am slowly quilting the bag. Very,¬†very slowly ūüôā

Warm Fuzzy Slippers РTwo of three sets have been assembled sans the rubber bottom. Next up Рmaking a larger husband-foot sized pattern

Holiday Circle Skirts – We have Halloween, Easter, and birthday skirts. I am still working on St Patrick’s and Independence Day.

Bed – a new project to make a bed/desk for Anya’s room

T-shirt embroidery – finished quite a few, but I’d like to get a few more size 5/6 shirts finished.

Bed for Anya

It’s about time to get a bigger bed for Anya. And a desk. She doesn’t have a particularly small bedroom, but one wall is eight foot of sliding glass door and another is fifteen and a half feet of closet / raised hearth / doorway. The third wall has four foot of doorway, where you stand to access her closet, and the remaining three feet house a bookshelf and her fish tank. This configuration greatly restricts the space available for beds and desks. Unfortunately most loft beds with desks underneath aren’t attractive to me.¬†Then a random image in Pinterest had this desk/bed combo — storage under the desk platform and a hide-away under the bed platform.

I’m working out reasonable dimensions for the unit and hope to make one this spring.

Pieced Rainbow Circle Skirt

I am finally making the pieced circle skirt my mom had found a few years ago. I’d worked out the proper dimensions and created a pattern to make an Anya-sized circle: t uses fifteen different cotton solid fat quarters. I purchased the fabric in half-yard cut, then cut each piece into a fat quarter so mom and I can make skirts for both Aisha and Anya.

I was hesitant to make the skirt until I was more adept with my serger. After making a Peppermint Swirl Dress, I felt a lot more confident serging these curved pieces.

The pattern pieces did not include a seam allowance; the allowance was added on the fabric. I also traced the pattern piece itself, then serged the pieces together with the needle farthest from the blade along the pattern piece’s line.

I assembled the circles instead of making wedges.

The concentric rings matched up well (Whew! That was a big relief … I was worried that I’d end up with a wonky misaligned mess).

I cut strips of each colour for the waistband and attached them individually to the color-matching circle to ensure the corners lined up. Once each piece was in place, I connected the different colors together. The bottom hem needs to be turned up and stitched, but I’ve got a gradient rainbow circle skirt!

 

Live Fire Exercises

Arm the teachers, they say. The best way to stop a bad guy with a gun is a¬†good guy with a gun, they say. There’s some derision to this plan because of the logistical and financial challenges. Unless Glock, Sig, and H&K are donating handguns, are we¬†really going to pay to arm teachers when we won’t pay for [tissues | pencils | paper | all of the other classroom supplies teachers are self-funding]? Are the local police ranges going to be open for these individuals? Are Cor-Bon donating thirty million rounds of ammo a month (Think I’m joking? That’s LOW. There are some 100,000 public schools in the US. One armed dude isn’t going to help – what if he’s sick that day? Three per school is a low average. Say hundred bullets a month [most people I know who regularly train with firearms shoot¬†at least fifty rounds a week]. 100,000 * 3 * 100 = 30,000,000 bullets.) But that’s the least of my concerns.

Trump stresses that these are well trained individuals. Trained how?!? A gun for home defense is a fairly controlled situation with a small number of well known ‘good guys’. Make sure you know where the spouse & kids are taking cover, and teach them to STAY STILL. While it’s more difficult to hit a moving target than a stationary one, range time is good practice. In a school hallway, where the teacher knows maybe a quarter of the students well … which one¬†is the short-ish guy in a gray hoodie?¬†And what happens when, amid the chaos, some innocent (panicking) kid runs into the path of a teacher’s bullet? Or the local kid who shut down the High School a few days ago with a¬†toy gun (bright orange tip and everything) gets terminated to ‘save’ the rest of the students (and, yeah, totally dumb move taking a toy gun into school … but probably not something for which anyone deserves to die). What happens when these good guys with guns realize it’s¬†hard to shoot another human being.

Unless this training includes hours of live fire exercises every month, “training” not going to help. But it¬†does let politicians claim to have done something. And it does provide a convenient scapegoat for future school shootings — because public discourse shall not say “well, obviously a good guy with a gun isn’t helpful” but rather “what flaw in these people had them fail in saving the day?”

WebLogic LDAP Authentication

Configuring an LDAP Authentication provider in WebLogic (version 11g used in this documentation)

  • In configuring LDAP authentication, I add a new authentication provider but continue to use the local provider for the system account under which WebLogic is launched. Partially because I don‚Äôt really use WebLogic (there‚Äôs an Oracle app with its own management site that runs within WebLogic ‚Äď very small number of users, so our configuration is in no way optimized), but partially because using a network-sourced system account can prevent your WebLogic instance from launching. If your config isn‚Äôt right, or if the network is down, or a firewall gets in the way, or the LDAP server is down ‚Ķ. Your WebLogic fails to launch because its system ID is not validated.

WebLogic Configuration

Lock & Edit the site so we can make changes. On the left-hand pane, scroll down & find Security Realms

Go into your realm, select the ‚Äúproviders‚ÄĚ tab. Supply a name for the provider (I included ‚ÄúLDAP‚ÄĚ in the name to ensure it was clear which provider this was ‚Äď may even want to specify something like ‚ÄúCompanyXLDAPAuthProvider‚ÄĚ)

Select type ‚ÄúLDAPAuthenticator‚ÄĚ for generic LDAP (I was using Sun DSEE, and moved to Oracle OUD without changing the authenticator type). Click OK to create.

Change the control flag on your default authenticator. Click the hyperlink for the default provider. On the ‚ÄúCommon‚ÄĚ tab, change the ‚ÄúControl Flag‚ÄĚ to ‚ÄúSUFFICIENT‚ÄĚ and save.

Click the hyperlink for the newly created provider. On the ‚ÄúCommon‚ÄĚ tab, change the ‚ÄúControl Flag‚ÄĚ to ‚ÄúSUFFICIENT‚ÄĚ and save.

Select the ‚ÄúProvider specific‚ÄĚ tab.

Connection

Host:     <your LDAP server>

Port:      636

Principal:             <Your system account, provided when you request access to the LDAP directory>

Credentials:        <Your system account password>

Confirm Credentials:       <same as credentials>

SSLEnabled:        Check this box (for testing purposes, i.e. if you are unable to connect with these instructions as provided, you can set the port to 389 and not check this box to help with troubleshooting the problem. But production authentication needs to be done over SSL)

Users

User Base DN:¬† ¬† <get this from your LDAP admin. Ours is “ou=people,o=CompanyX”)

All User Filter:    (&(objectClass=inetOrgPerson))

For applications with a single group restricting valid users, you can use the filter: (&(objectClass=inetOrgPerson)(isMemberOf=cn=GroupNameHere,ou=groups,o=CompanyX))

Users from name filter:  (&(uid=%u)(objectClass=inetOrgPerson))

User Search Type:                           subtree (onelevel may be fine, but verify with your LDAP administrator)

User Name Attribute:                     uid

User Object Class:                           inetOrgPerson

Use Retrieved User Name as Principal ‚Äď I didn‚Äôt select this, don‚Äôt really know what it does

Groups

Group Base DN:¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†<another one to get from your LDAP admin. Ours is “ou=groups,o=CompanyX”>

All Groups Filter:              (&(objectClass=groupOfUniqueNames))

If your group names all have the same prefix, you could limit ‚Äúall‚ÄĚ groups to just your groups with a filter like (&(objectClass=groupOfUniqueNames)(cn=MyApp*))

Group from name filter: (&(cn=%g)(objectclass=groupofuniquenames))

Group search scope:                      subtree (again, onelevel may be fine)

Group membership searching:¬† ¬† <We select ‘limited’ because there are¬†no nested groups in the LDAP directories. If you need to resolve nested group memberships, this and the next value will be different>

Max group membership search level:      0

Ignore duplicate membership:     Doesn’t really matter as we don’t have duplicates. I left this unchecked.

Static groups

Static group Attribute name:       cn

Static group Object Class:             groupOfUniqueNames

Static Member DN Attribute:       uniqueMember

Static Group DNs from Member filter:     (&(uniquemember=%M)(objectclass=groupofuniquenames))

Dynamic Groups              this section is left blank/defaults as we don’t use dynamic groups

General

Connection Pool Size:¬†¬†¬†¬† Ideal value dependent on your anticipated application load ‚Äď default of 6 is a good place to start.

Connect timeout:             Default is 0. I don’t know if this is something particular to WebLogic, but I generally use a 15 or 30 second timeout. If the server hasn’t responded in that period, it is not going to respond and there’s no need to hang the thread waiting.

Connection Retry Limit: Default is 1, this should be sufficient but if you see a lot of connection errors, either increase the connect timeout or increase this retry limit

Parallel Connect Delay:  0 (default) is fine

Result time limit:              0 (default) is OK. On my the LDAP server, there is no time limit for searches. Since WebLogic is making very simple searches, you could put a limit in here to retry any search that takes abnormally long

Keep Alive Enabled:¬†¬†¬†¬†¬†¬†¬†¬† Please do not enable keep alive unless you have a specific need for it. Bringing up a new session uses slightly more time/resources on your app server than re-using an existing connection but that keep alive is a LOT of extra ‚Äúhey, I‚Äôm still here‚ÄĚ pings against the LDAP servers

Follow Referrals:              Un-check this box unless your LDAP admin tells you referrals are in use and should be followed.

Bind Anonymously on referrals:  Leave unchecked if you are not following referrals. If referrals are used and followed Рask the LDAP admin how to bind

Propagate cause for logon exception:      I check this box because I *want* the ugly LDAP error code that explains why the logon failed (49 == bad user/password pair; 19 == account locked out). But no *need* to check the box

Cache Related Settings:¬† This is something that would require more knowledge of WebLogic than I have ūüėä

If you enable caching, you may not see changes for whatever delta-time is the cache duration. So, the defaults of enabling cache & retaining it for 60 seconds wouldn‚Äôt really create a problem. If you set the cache duration to one day (a silly setting to make the problem cache can create clear) ‚Ķ. If I logged into your application at 2PM, did a whole bunch of work, went home, came back the next morning & saw my ‚Äúyour password is about to expire‚ÄĚ warning ‚Ķ so go out to the password portal and change my password. Reboot, get logged back into my computer ‚Ķ. and try to access your application, I will get told my password is invalid. I could try again, even type what I *know* is my password into notepad & paste it into your app ‚Ķ still not able to log on. My old password, were I to try it, would work ‚Ķ but otherwise I‚Äôd have to wait until after 2PM before my new password would work.

Group membership changes could be a problem too ‚Äď with the same 24 hour cache, if I am a valid user of your application who signs in at 2PM today, but my job function changes tomorrow morning & my access is revoked ‚Ķ I will still have application access until the cache expires. I am not sure if WebLogic does negative caching ‚Äď basically if I am *not* a user, try to sign in and cannot because I lack the group membership & get an access request approved *really quickly* to become a group member, I may still be unable to access the application until the ‚ÄúLisa is not a member of group XYZ‚ÄĚ cache expires. If WebLogic does not do negative caching, then this scenario is not an issue.

So you might be able to lower utilization on your app server & my LDAP server by enabling cache (if your app, for instance, re-auths the object **each time the user changes pages** or something, then caching would be good). If you are just checking authentication and authorization on logon … probably not going to do much to lower utilization. But certainly keep the cache TTL low (like minutes, not days).

GUID Attribute:  nsUniqueID

Establishing The SSL Trust

For encryption to be negotiated with the LDAP servers, you need to have a keystore that includes the public keys from the CA used to sign the LDAP server cert. Obtain the base 64 encoded public keys either from the PKI admin or the LDAP admin. Place these file(s) on your server ‚Äď I use the /tmp/ directory since they are no longer needed after import.

From the domain structure section, select: Environment=>Servers and select your server. On the “Configuration” tab, click the keystores sub-tab. If you are not already using a custom trust, you need to change they keystore type to use a custom trust (and specify a filename in a path to which the WebLogic account has access – keystore type is JKS and the password is whatever you are going to make the keystore password). If you *are* already using a custom trust, just record the file name of the custom trust keystore.

Use keytool to import the CA keys to the file specified in the custom trust. The following examples use a root and signing CA from my company, the CA chain which signs our LDAP SSL certs.

./keytool -import -v -trustcacerts -alias WIN-ROOT -file /tmp/WIN-ROOT-CA.b64 -keystore /path/to/the/TrustFile.jks -keypass YourKeystorePassword -storepass YourKeystorePassword

./keytool -import -v -trustcacerts -alias WIN-WEB -file /tmp/WIN-WEB-CA.b64 -keystore /path/to/the/TrustFile.jks -keypass YourKeystorePassword -storepass YourKeystorePassword

*** Under advanced, I had to check off “Use JSSE SSL” for SSL to work. Without that checked off, I got the following error in the log:

####<Feb 23, 2018 10:11:36 AM EST> <Notice> <Security> <server115.CompanyX.com> <AdminServer> <[ACTIVE] ExecuteThread: ’12’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <58b1979606d98df5:292a2ff6:161c336d0ba:-8000-0000000000000007> <1519398696289> <BEA-090898> <Ignoring the trusted CA certificate “CN=WIN-WEB-CA,DC=CompanyX,DC=com”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

####<Feb 23, 2018 10:11:36 AM EST> <Notice> <Security> <server115.CompanyX.com> <AdminServer> <[ACTIVE] ExecuteThread: ’12’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <58b1979606d98df5:292a2ff6:161c336d0ba:-8000-0000000000000007> <1519398696289> <BEA-090898> <Ignoring the trusted CA certificate “CN=WIN-Root-CA”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

An alternate solution would be to update your WebLogic instance ‚Äď there are supposedly patches, but not sure which rev and it wasn‚Äôt worth trial-and-erroring WebLogic patches for my one WebLogic instance with a dozen users.

Whew, now save those changes. Activate changes & you will probably need to restart your WebLogic service to have the changes go into effect. You can go into the roles & add LDAP groups as — specifically, I added our LDAP group’s CN to the administrators WebLogic role.

Actual Data – On What Is SNAP Money Spent?

Turns out there is actual data (not complete, as it does not account for non-SNAP cash purchases … but how many people pay cash at the grocery store?) regarding¬†what¬†groceries people buy with SNAP and what groceries they buy otherwise.¬†Here.

And I get the compassionate argument that I shouldn’t dictate what someone can and cannot purchase just because they happen to have fallen on hard times. That’s a bit like saying you cannot be irked when a friend asks to borrow a couple hundred bucks to make rent and you then encounter the same friend buying a new couture handbag / stereo system / whatever floats their boat. You can! And probably¬†are. Because it’s one thing to blow your own money on whatever you want, it’s quite another to tell me you need help at the same time. So, yeah, I want food bought with SNAP funds to be¬†better than that on which an average American spends their grocery money.

And … kind of surprising … it might be. Either way, #1 is meat/poultry/seafood (not a vegan’s view of healthy, but not guaranteed to be junk food). SNAP folks? #2 is veggies, 3 is cheese, 4 is fruits. Crap starts to show up as #5 (soda and stuff) and 6 (desserts). Frozen prepared foods, 8, are generally unhealthy. For the non-SNAP baskets: soda is #4, frozen prepared foods #4, and prepared desserts #5. Welfare queen stereotype aside, it turns out SNAP recipients¬†do allocate more of their funds to non-junk categories than average American shoppers.

But there’s¬†better and there’s¬†well.¬†¬†I don’t think it’s right for two billion dollars in tax money to go toward SNAP purchases of sweetened beverages. And another two billion for prepared desserts. That’s eight BILLION dollars in one YEAR toward obvious junk if we concede people believe bottled water, fruit juices, and coffee/tea are essentials. Up to 9.7 billion if those are included as well.

SNAP recipient purchases:

Rank Category $ in millions % of expenditures
1 Meat, Poultry and Seafood $5,016.30 15.92%
2 Vegetables $2,873.90 9.12%
3 High Fat Dairy/Cheese $2,483.20 7.88%
4 Fruits $2,271.20 7.21%
5 Sweetened Beverages $2,238.80 7.10%
6 Prepared Desserts $2,021.20 6.41%
7 Bread and Crackers $1,978.20 6.28%
8 Frozen Prepared Foods $1,592.30 5.05%
9 Milk $1,211.00 3.84%
10 Salty Snacks $969.70 3.08%

 

Non-SNAP purchases – Top 10:

Rank Category $ in millions % of expenditures
1 Meat, Poultry and Seafood $1,262.90 19.19%
2 Sweetened Beverages $608.70 9.25%
3 Vegetables $473.40 7.19%
4 Frozen Prepared Foods $455.20 6.92%
5 Prepared Desserts $453.80 6.90%
6 High Fat Dairy/Cheese $427.80 6.50%
7 Bread and Crackers $354.90 5.39%
8 Fruits $308.20 4.68%
9 Milk $232.70 3.54%
10 Salty Snacks $225.60 3.43%

 

Breaking into the data farther, either group’s #1 fruit expenditure? Orange juice. Sigh! #1 vegetable expenditure? Potatoes.

Cherry Jam

Super simple no-added-sugar jam, cherry today. Take a bunch of frozen cherries and toss ’em into a blender. Add enough water that they pur√©e. Add about a tablespoon of tapioca powder for 2 cups of fruit/water mixture. Transfer to saucepan and simmer until it starts to thicken a bit. Cool and pour into glass container. Add lid & refrigerate overnight. Voila, jam without heaps of sugar.

I used it to make cutout heart not-peanut-butter and not-jelly sandwiches for Anya’s preschool Valentine’s Day party “healthy snack”. We cut 48 large hearts (using a cookie cutter) from bread, then used a smaller heart-shaped cookie cutter to create an opening in the centre of 24 of the hearts. Take a big heart, smear on a little sunflower butter (or some nut butter if you’re making them for home), dollop on some jam and spread it out, then align a cut heart on top.

Anya took the little heart cutouts and made “jam sandwiches” (two hearts with a little of the jam in the middle) and “jam pies” (one heart with jam on top).

Washington’s Meal Delivery

Not a particularly novel idea to¬†source basic staples in bulk for¬†gov’d nutritional benefits – although¬†‘government cheese’ was as much about propping up dairy industry prices as providing sustenance.¬†It¬†would be¬†an interesting way to deal with food deserts if people were allowed to opt into the service because it suited their needs.

The reality of selecting “basic staples”: anything you pick is going to make someone irate.¬†Remember Palin attacking Michelle Obama for saying she tells her kids dessert isn’t a right &¬†planting a vegetable garden? Until 2010, I didn’t realize that saying¬†eating dessert at every lunch and dinner wasn’t ideal or that eating some fresh vegetables was contentious. I know now. Sure, the whole thing was a political stunt; but¬†anyone want to proclaim¬†society has gotten¬†more¬†reasonable in the intervening near-a-decade?

The biggest problem I have with this “money saving” proposal is that I don’t see it saving any money. It’s not like everyone can get the same box. Delivering fresh vegetables and meats presupposes I have a refrigerator/freezer and am dropping cash on the electricity to run it. I imagine we’re talking about shelf-stable foods (otherwise shipping in the Winter becomes a huge challenge –¬†I¬†did a free meal-delivery trial.¬†In the MidWest. In Winter. Got a¬†box full of frozen-solid ‘fresh’ food.).

There will need to be some mechanism for excluding items based on medical necessity (and a simple online account may not be viable). There’s an uproar if 95% of people claim to be severely allergic to lima beans and¬†spinach, or¬†excluding a food¬†takes a medical approval (which requires a trip to the doctor, which it itself a PITA). And like disability or injury law – there’ll be doctors who sign off on all sorts of dodgy stuff. Or at least the perception thereof.

Even with some mechanism¬†to avoid dropping peanut butter and tinned tuna into houses with allergies, I’m vegetarian. Or Kosher Jewish (religious discrimination!). Or whatever other deeply held dietary beliefs someone may have.

Now¬†they’re delivering vegan boxes (against the huge objection of meat industry groups) that comply with Halal, Kosher, etc restrictions¬†or¬†there are a dozen different boxes and there’s a database indicating¬†who gets what. Either way, some percentage of¬†the boxes¬†still need to be one-off packed to avoid non-common allergens (or comply with the religious belief of the dude who founds the Church of the Carnivore and cannot eat that vegan junk).

And that’s just the packing challenges.¬†Just¬†sourcing¬†and¬†delivering¬†this food every (week, month?) is a whole other logistical nightmare. Do they source locally or take money from the local economy and source the food from¬†single suppliers?¬†¬†And if they’re sourcing locally, can the gov’t really do so more efficiently than, say, the local supermarket chain?

The idea¬†inevitably includes industry “lobbying” to¬†have products included in the box. If Oprah cannot not like beef without getting sued,¬†and the FDA food pyramid/plate/<geometric shape of the year> cannot be built without industry uproar … I doubt the box will fair any better.¬†Plus¬†the potential for free advertising. There are people at my daughter’s preschool who send rice krispy treats as a ‘healthy snack’ because,¬†yeah, no idea. But would the government throw in crisps, candy, heavily processed anything … if the company offered it for free occasionally? And would people believe¬†everything they get in their box to be healthy … because it’s coming in the gov’t healthy-food-for-your-family box?

Drum Major Instinct

Somehow Dodge has confused the following text to mean “buy a new big truck”. One with a base price of like 26,000USD. Or this is just the logical conclusion of the post-truth alternative fact world … we can call back to some historical figure with a message that is basically the antithesis of that for which the person stood.

“Now the presence of the drum major instinct is why so many people are “joiners.” You know, there are some people who just join everything. And it’s really a quest for attention and recognition and importance. And they get names that give them that impression. So you get your groups, and they become the “Grand Patron,” and the little fellow who is henpecked at home needs a chance to be the “Most Worthy of the Most Worthy” of something. It is the drum major impulse and longing that runs the gamut of human life. And so we see it everywhere, this quest for recognition. And we join things, overjoin really, that we think that we will find that recognition in.

Now the presence of this instinct explains why we are so often taken by advertisers. You know, those gentlemen of massive verbal persuasion. And they have a way of saying things to you that kind of gets you into buying. In order to be a man of distinction, you must drink this whiskey. In order to make your neighbors envious, you must drive this type of car. (Make it plain) In order to be lovely to love you must wear this kind of lipstick or this kind of perfume. And you know, before you know it, you’re just buying that stuff. (Yes) That’s the way the advertisers do it.”