PKI Best Practices – xdot509.blog

This blog posting is just a list of PKI best practices and common practices. If you are implementing your own PKI or simply assessing your own PKI you can use this list to determine if your design or implementation is inline with industry best practices. This is by no means an exhaustive list, just common…
— Read on xdot509.blog/2020/10/15/pki-best-practices/

The rest of August

I’ve been busy during work hours and relaxing off-hours, meaning this post covers three weeks instead of the 1 week that I intended.

Home Automation: Simple steps to offload some maintenance work this week. I am setting up unattended-upgrades to automatically install most updates including restarting if needed. If all works as expected, I should be getting emails from the machines after they patch. I used this article from LinuxOpSys to set it up, but I also had to install the mailutils package to ensure I had the ability to send emails.

Reading

#328 – Health & Longevity – Making Sense with Sam Harris – Overcast – My key takeaway from this episode is the only proven weight reduction is caloric restriction. I find it curious that nobody home much nutrient density has fallen in our food.

Black Hat USA 2023 – Bitdefender macOS Threat Report Reveals Key Dangers for Mac Users – Looks like Trojans are the most likely threat to a Mac.

Stopping at 90% – Austin Z. Henley – Did you document your work? Did you share your work with your team? Can someone pick up where you left off? If not, you are not done.

Bill Gates-backed nuclear contender Terra Power aims to build dozens of UK reactors – CityAM – When will the US get behind these small modular reactors? These could be installed in/around existing substations, providing greater capacity and resilience for our grid.

Solar power generation averted Europe’s heat crisis – I want solar on my home even more now.

Run every day – Duarte O.Carmo – I appreciate the concept of taking back your time, especially to prioritize your health.

People are losing more money to scammers than ever before. Here’s how to keep yourself safe | AP News – Unfortunate but verifiable true stats. We see far too many folks succumbing to scams every day.

This Heat Is Shaking the Very Foundation of the Ocean Food Web | WIRED – More negative impacts from climate change.

Fitch downgrades U.S. after debt limit stalemate – POLITICO – Old news – still feels like a country-wide facepalm just happened.

PodcastOne: 875: Jonathan Kennedy | How Pathogens Have Shaped Our World – Wow

What I’m Doing and How It’s Going – A very powerful and informative post from Daniel Messler on what he’s doing now that he left corporate life. I personally think he’s got a somewhat negative view on what corporates are doing, but he’s s not far off the mark. It is time to go if a business can only motivate someone by having them in the office and under their thumb. There were plenty of jobs that never would have been WFH, and plenty of people who just are not cut out for it. But if you have got the right people in the right seats on the bus, then you’re probably fine.

Billion Dollar Heist: The simple typo that stopped the Bangladesh bank robbers from stealing $1 billion – Always proofread before hitting submit – even if you are a criminal. (Via Cyberwire)

First weeks of August

I feel really positive about how I’ve ended the last couple of weeks post-vacation. I’ve gotten to enjoy late Upstate summers spending loads of time in our backyard outdoor oasis with my wife watching the fur-kids play.  I’m finishing this week’s post doing just that with a cup of coffee. Side note – I got stung by yellowjackets about 15 minutes after I closed my laptop this weekend, so this post is a bit delayed.

My Projects

Leadership: Most of my last two weeks have been spent in meetings and catching up from being on vacation. I started to feel overwhelmed as I was pushing off “actual work” and administrative tasks, but I decided to use this as an opportunity to use some “tactical delegation.” I have a bad habit of loving the get my hands dirty, but that leaves me in the precarious position of balancing “real work” with leading my team and maintaining relationships with my colleagues. The latter typically suffers because of that. Not only does delegation preserve precious time for higher value things, but it also allows me the opportunity to build relationships and coach my team in both soft and technical skills. I find this more rewarding and it leaves me with a net positive in energy at the end of the day. Unfortunately, I still have to process a buttload of invoices until we find a better way to do our AP.

Intune: My team has been working to build our BYOD environment in Intune so we can leverage some cost savings. The initial work of setting up our device profiles is complete, but we’ve been struggling with the Microsoft Tunnel setup.

Shortcuts: I’ve been working on some iOS shortcuts to help me build these posts.  The initial shortcut will grab the page title and link, then create an email from it.  I can then type my draft thoughts into the email and send it to myself. This made for a housekeeping nightmare, so I’m testing out dropping the links directly into a note in Apple Notes. Both shortcuts appear to work much better on my iPhone, but they also function on one of my MacBooks. I think I’m 80% complete here.

HomePod: I’ve also picked up a HomePod Mini to become my HomeKit hub. I’ve been using Homebridge to bring MyQ, SmartThings, LG, and the various other smart devices I’ve collected into one panel. Adding the HomePod should allow me to set up automations as well as manage my devices remotely. So far the HomePod is working as expected with the added bonus of being a great little speaker. I use it mainly in the office, but it’s seen the backyard a couple of times to play my Apple Music playlist.

Reading

New Cisco platform deploys AI to take VPN decision-making off your plate – EVERYONE hates VPNs, but EVERYONE still uses VPNs.  Cisco Multicloud Defense would take the decision-making process out of the user’s hands and automatically tunnel the traffic that needs to be. I’m not sure this is truly AI as you can currently do this with AnyConnect OnDemand rules.

Apple issues third mobile OS update after zero-click spyware campaign | CyberScoop (From Risky Business #714) – I have been impressed by how quickly these patches can be deployed with Apple’s new deployment method.

Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances (From RiskyBiz News 8/7) – Ransomware attacks against critical infrastructure should be treated like a terrorist attack.

Satellites Are Rife With Basic Security Flaws (From Risky Business #714) – No surprises here as this is IoT for space.

Tenable CEO accuses Microsoft of negligence in addressing security flaw (From Risky Business #714) – Is Microsoft backsliding into the same shenanigans they pulled in the 2000s?

The Linux Community Is Circumventing Red Hat’s Controversial New Strategy – I’m glad to see some of the more popular Red Hat-based distros have gotten around the death of CentOS.  

If your iPhone or iPad is too old, you won’t get these new iOS 17 or iPadOS 17 features – The Mac Security Blog – Nothing here that is going to make you run out and buy a new phone.

If your Mac is too old, you won’t get these new macOS Sonoma features – The Mac Security Blog – Same story for a second time.

Practical Protection: Who Watches the Watchers?  | Practical365 – Paul linked two ideas from last week’s Risky Business podcast to give us some hints on preventing breaches in a Microsoft environment.

Exchange Online Enforces Sender DMARC Policy | Practical365 – Microsoft is sending a big message by honoring DMARC policies across the board. I highly recommend you verify your SPF, enable DKIM signing for all approved senders, and create a DMARC policy so recipients reject any spoofed email sent using your domain. I also recommend you setup a DMARC block-all policy for any domains that you own but do not use.

Microsoft resolves vulnerability following criticism from Tenable CEO – I have to agree with the Tenable CEO on this one. Microsoft has gone back to a culture of secrecy, denial, and stalling in all of its platforms. This is unacceptable for an organization profiting off a considerable number of businesses depending on their security.

DIY Scientists and Institutions Are Racing to Replicate the Room-Temperature Superconductor – Didn’t we do this song and dance years ago only to disturb was a farce?

Scientists Control Human DNA with Electricity in ‘Leap Forward’, Study Reports – Ok this is cool. Maybe a wearable DNA editor is in our future?

The Mystery of Chernobyls Post-Invasion Radiation Spikes | WIRED – Add radiation detectors to the never-ending list of hackable IoT devices.

What Doctors Wish You Knew About HIPAA and Data Security | WIRED – Your health data is only covered by HIPPA in a healthcare provider system. Apple Health, Fitbit, etc. are not covered at all. Read the fine print.

NASA regains contact with Voyager 2 after it went dark for two weeks | Engadget – Voyager 2 amazes me. 45 years old and still on mission!

How to see the Perseid meteor shower this weekend, 2023’s best – Eyes to the skies this weekend!

July Notables

I’ve taken my sweet time on this one. Multiple work projects, holidays, and a vacation.

The Final Frontier

Asteroid mining startup AstroForge will test its metal refinery tech in space this year – Finally, we are looking at the resources outside our own atmosphere!

243 | Joseph Silk on Science on the Moon — Sean Carroll’s Mindscape: Science, Society, Philosophy, Culture, Arts, and Ideas – Another discussion of getting humanity into space using the Moon as our jumping-off point.

Science Stuff

An Ancient Battle Is Playing Out in the DNA of Every Embryo – Interesting read.

Patient undergoes double neural bypass surgery | Popular Science – Some amazing work in using implants and AI to repair spinal damage.
This Prosthetic Limb Actually Attaches to the Wearer’s Nerves | WIRED UK – Amazing work with direct neural drive of prosthetics that allows finer motor control.

World Issues

Could the non-free regimes of the world be looking at long-term self-immolation?

859: Bradley Schurman | Demographic Collapse in Russia, China & the USA (The Jordan Harbinger Show) – An interesting listen on how some of the major superpowers might be facing population collapse. Will it be a bad thing? It depends.
How much trouble is China’s economy in? – It sounds like China’s economy could be taking a downturn, but leadership appears to be confident in a recovery. But how long will that recovery last?

Why U.S. credit rating was downgraded and debt is rising – The Washington Post – The US has dropped from AAA to AA+ bond rating due to how our elected officials are handling budget negotiations.  I wondered when the repeated crises would come back to bite us. Maybe it’s time we push both parties to work together instead of fighting.

IT

The Cloud Is a Prison. Can the Local-First Software Movement Set Us Free? | WIRED – I like the idea of local-first considering the impacts of our cloud services going offline, or just getting crappier and more expensive.

Some good articles on Microsoft 365 that I found over the week:
Practical Protection: Five Things To Know About Microsoft 365 Auditing – TL;DR – you don’t get most audit logging unless you pay for it.
Resolving the Five Most Common Conditional Access Misconfigurations – A great high-level look at leveraging conditional access policies for Microsoft Online.

NSA Releases Guide to Harden Cisco Next Generation Firewalls – The NSA published a comprehensive set of Firepower hardening advice.  I suggest anyone running Cisco Firepower devices take a look.  Most of the recommendations are standard practice, but it also explains how to properly build your ACLs.

My zsh shell takes forever to open sometimes – why?
Speeding Up My Shell (Oh My Zsh) | Matthew J. Clemente – In-depth review of Matthew’s attempts to speed up his zsh shell.
Speeding up zsh and Oh-My-Zsh | JonLuca’s Blog – another take on improving zsh load times.

Leadership

The Right Way to Hold People Accountable – Great article on the right way to hold people accountable.
17 Reasons NOT To Be A Manager – Got this from Daniel Miessler’s newsletter this week. This is a spot-on view of the differences between being a technical individual contributor versus management.  I’ve found much of this spot on with my leadership journey.

Health

These 8 habits could add up to 24 years to your life, study says | CNN – Another good find from Daniel Miessler this week.  Seems there is still hope for the fortysomething crowd after all.
A lack of sleep blocks brain-boosting benefits from exercise, study says | CNN – It looks like not sleeping well or enough can undo everything else you are working towards healthwise.
AMA #9: Kratom Risks, Does Infrared Sauna Work & Journaling Benefits – Huberman Lab – Overcast – Andrew Huberman tells you all about Kratom, including the very serious risks.  TL;DR – don’t do it.

Microsoft Sharepoint outage caused by use of wrong TLS certificate

Microsoft Sharepoint and OneDrive for Business were briefly interrupted today after a German TLS certificate was mistakenly added to the main .com domains for the Microsoft 365 services.
— Read on www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-outage-caused-by-use-of-wrong-tls-certificate/

Exchange Online: PropertyTooBigException causing email issues for a user.

An employee reported that certain emails were rejected, but others appeared to be coming through just fine. All “new” messages would be delivered by Exchange, but any replies or forwards would immediately get rejected with this error:

554 5.2.0 STOREDRV.Deliver.Exception:StoragePermanentException.PropertyTooBigException; Failed to process message due to a permanent exception with message [BeginDiagnosticData]Exception encountered initializing default folder. PropertyTooBigException: The object data is corrupted. The value of property [0x36d90102] AdditionalRenEntryIdsEx is too large and requires streaming.[EndDiagnosticData] [Stage: OnPromotedEvent][Agent: Conversations Processing Agent]'

The first instance happened directly after we migrated a relatively old mailbox to Exchange Online while running in hybrid mode. The second instance happened almost two years later on a similarly aged mailbox that had been imported. This procedure was given to me by MS Tier 3 support and fixed both instances.

Solution

  1. Download the latest release of the MFCMAPI tool from Github: https://github.com/stephenegriffin/mfcmapi
    1. The tool does not require installation. All you need to do is unzip the download and run. 
    2. Match the installed version of Outlook (32 or 64bit). MFCMAPI uses Outlook to get low-level access to the mailbox internals.
  2. Find a Windows computer running Outlook. The easiest option is the affected user’s PC, but any PC with access to the right mailbox will work.
  3. NOTE: If this isn’t the user’s PC, create a new Outlook profile with only the user’s email address configured. You will need to open Outlook at the end of this process to recreate the deleted property.
  4. Run MFCMAPI tool. 
  5. Close the initial spash screen.
  6. Click on Tools > Options, then scroll down to find the Use the MDB_ONLINE flag when calling OpenMsgStore, check it, and click OK. This will force MFCMAPI to connect to the mailbox in real time instead of cached mode. 

  7. Click on Session > Logon.
  8. MFCMAPI will prompt you to select a profile. Select the right profile if you have multiple configured on your computer then click OK
  9. Select the correct mailbox from the list. It will show you all the mailboxes the user has access to. Double-click on the mailbox you need to edit. 
  10. In the left-hand tree, expand Root Container.
  11. Scroll down to the Top of Information Store and expand. Then click on Inbox to select.
  12. Switch to the detail pane and sort by the Tag field.
  13. Scroll until you fix a matching tag for the hex ID of the property from the NDR message.
    1. In our case the hex is 0x36d90102. The actual property name from the error messages is AdditionalRenEntryIdsEx, but it lists in MFCMAPI as PR_ADDITIONAL_REN_ENTRYIDS_EX.
  14. Right-click on the property and select Delete property
  15. Click OK to delete the property. 
  16. If you have Outlook open, close it. Then re-open it using the user’s profile/mailbox. You should see the properties window in MFCMAPI refresh. Check that the PR_ADDITIONAL_REN_ENTRYIDS_EX property has been rebuilt in the Inbox folder.
  17. If the property has been rebuilt, try replying to one of the test emails that failed. The problem should be resolved.

Additional Info

On Sleep

Many of us face some level an anxiety over our sleep, or perceived lack of it. I’ve recently gone down a rabbit hole of sleep-related podcasts and articles. I thought I would share some of what I learned here on my blog. I’ll update the post as I run into new information.

‎Plain English with Derek Thompson: The Most Important Thing Most Americans Misunderstand About Insomnia on Apple Podcasts

This was my first experience with Derek’s podcast after hearing him on Episode 523 of The Learning Leader Show. Derek does an excellent job breaking down the complex topic of sleep into layman’s terms. Dr. Wu also does an excellent job explaining the science behind sleep. Below are my notes from the show.

  • Sleep is the most important factor in your health.
  • Biphasic sleep was the norm until the Industrial Revolution (1st and 2nd sleep).
    • The first half is deep sleep, which is most important to purge adenosine built up during the day.
    • The second half is still very important – it might be for REM sleep but that wasn’t discussed.
    • The 1st and 2nd sleep trend documented pre-Industrial Revolution was likely caused due to lack of man-made sleep interference (light, etc.). It can also happen naturally when the transition between phases causes a waking moment.
  • Insomnia can be easily described as low sleepiness/high bedtime availability.
  • Sleep deprivation can be best described by high sleepiness/low bedtime availability.
  • Insomnia is often caused by anxiety about sleep or anxiety in general.
  • Good circadian health is key to good, restful sleep.
    • 24.1-24.2 hrs is typically rhythm
    • Figure out your chronotype and see how to adapt your schedule to it if possible.
  • Shift work is considered a carcinogen: Recent News about Night Shift Work and Cancer: What Does it Mean for Workers? | Blogs | CDC
  • Keep the half-life on caffeine in mind when you are consuming coffee
  • Cognitive Behavior Therapy specifically for insomnia appears to be the best remedy for long-term insomnia sufferers.
  • Sleep consolidation is typically suggested for people who have problems falling asleep or staying asleep. Reduce the time available for sleeping to train your brain to be more sleepy and get better quality sleep.
  • Sleep trackers are useful, but aren’t fully accurate and can negatively impact sleep anxiety.
  • The TikTok trend of drinking lettuce water doesn’t work for people. You would need to drink more lettuce water than you can take in during a 24-hour period for this to work.
  • Using the same TV show every night can be a sleep association that works. Unsolved Mysteries reruns work for me!

Toolkit for SleepHuberman Lab
Andrew Huberman put together a great list of solid tips for getting quality sleep. I recommend reading it.

Thanks for joining me in this rabbit hole!

Notes from Rich Dad, Poor Dad

I just finished my first re-read of Rich Dad, Poor Dad after I originally purchased the hardcover book. The new edition has updated facts and figures but closely follows the hardcover I originally read.

  • Always focus on learning the key management skills: cash flow, systems, and people.
  • Build you asset column with true assets. True assets produce income for you.
  • A winning portfolio is focused, not balanced.
  • Common cash flow assets: real estate (rent, loans, capital gains) and stocks (dividends, capital gains)
  • Tax lien certificates are an interesting concept: A 16% interest rate but your money is locked up for 6 to 7 years.
  • If you get into real estate investment, get a great property manager. This keeps you free to focus on minding your business, not plunging toilets and mowing lawns.
  • The stop order is a key tool to minimize losses when building your stock assets.
  • “Busy people are often lazy” – Ain’t this the truth, and I’m a perfect example.
  • Sales = Income
  • Sales skills improve your communication skills
  • Is it possible to “be the bank” by offering a mortgage and using an escrow/servicing company to collect the payments?
  • Stop paying yourself last! Convert your earned income into assets that generate passive income or portfolio income.
  • Overcome arrogance – what you don’t know will cost you money.
  • Use Nevada corporations to reduce tax load
  • Is it time to look into forclosure auctions?
  • When everyone else is getting out, watch for your opportunity to get in. Example: Buying up real estate cheap when the bubbles burst.
  • Be like your heros: Invest like Warren Buffet, build deals like Trump did.
  • Locking potential investments up in contracts can help you secure them while you get the money together, but always leave yourself an easy out using contingencies. Example: Contract is contingent on approval of a business partner.
  • The lesson of “The Richest Man in Babylon” is important in understanding wealth.