krypted.com

Tiny Deathstars of Foulness

The LDIFDE utility exports and imports objects from and to Active Directory using the ldif format, which is kinda’ like csv when it gets really drunk and can’t stay on one line. Luckily, ldif can’t drive. Actually, each attribute/field is on a line (which allows for arrays) and an empty line starts the next record. Which can make for a pretty messy looking file the first time you look at one. The csvde command can be used to export data into the csv format instead. In it’s simplest form the ldifde command can be used to export AD objects just using a -f option to specify the location (the working directory that we’re running the ldifde command from if using powershell to do so or remove .\ if using a standard command prompt):

ldifde -f .\ADExport.ldf

This exports all attributes of all objects, which overlap with many in a target Active Directory and so can’t be imported. Therefore, you have to limit the scope of what you’re exporting, which you can do in a few ways. The first is to only export a given OU. To limit, you’ll define a dn with a -d flag followed by the actual dn of the OU you’re exporting and then you’d add a -p for subtree. In the following example we’ll export all of the objects from the sales OU to the SalesOUExport.ldf file:

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -f .\SalesOUExport.ldf

Restoring objects still results in an error that the server is “Unwilling To Perform” the import because “The modification was not permitted for security reasons.” Basically, this just means “hey I’m not going to import into some of the fields that I know I have to reserve for objects managed by the system, such as creation date (whencreated), last changed date (whenchanged), etc. So we can take some of these and omit them from our export. You can use ADMT or just look at an ldif or csv file to determine which attributes from the schema that you think need to be omitted, but at a minimum it should include objectguid, uSNCreated, uSNChanged, whencreated and when changed (and a lot of the Exchange attributes if you’ve extended the schema for your forest). To omit use the -o and enclose the omitted attributes in parenthesis. In the following example, we’ll export to the SalesOUExportO.ldf file, and add the -o flag to the previous command:

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -o "objectguid,uSNCreated,uSNChanged,whencreated,whenchanged" -f .\SalesOUExportO.ldf

You can also omit using the -m flag, which includes only the essential attributes, so we’ll add that to the command as well:

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -o "objectguid,uSNCreated,uSNChanged,whencreated,whenchanged" -m -f .\SalesOUExportO.ldf

Use the -l option to limit the attributes being exported to only those specified.

The -r option restricts the export to a given category or class. For example, if we only wanted to export users, we can restrict to objectClass-User

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -r "(objectClass=user)" -o "objectguid,uSNCreated,uSNChanged,whencreated,whenchanged" -m -f .\SalesOUExportOM.ldf

Now I’m feeling like we have a good restricted set of data that we’re moving. Let’s go ahead and give importing a shot on a target server. To do so, we’ll just use -i to specify this is an import, followed by -k to say “don’t stop if you have a problem with just one record”, -f to define a file and -j to write a log. We’ll use the working directory for the file path and the log path, assuming this is being done by calling the .exe from within powershell:

ldifde -i -k -f .\SalesOUExportOM.ldf -j .\

Once complete, the exported objects should appear once you close and re-open Active Directory Users and Computers. You can also export one object, then programmatically create objects in an ldif file as needed by importing them into Active Directory using ldifde.

February 27th, 2016

Posted In: Active Directory

Tags: , , , , , , , ,

SQL constraints the data that can be in a table. A violation of a constraint causes an action to be aborted. Constraints can be defined upon creation or using the ALTER TABLE statement once created. The general syntax of a CREATE (or use ALTER instead of CREATE) when defining constraints is as follows:

CREATE TABLE tablename
(
columnname datatype(size) constraintname,
columnname datatype(size) constraintname,
columnname datatype(size) constraintname,
columnname datatype(size) constraint name,
columnname datatype(size) constraint name,
);

Obviously, replace columnname with the name of each of your column, datatype with the types of data your column contains and constraint name with the constraint you wish to use. You have the following constraints available:

  • CHECK: Verify that values meet the defined condition
  • DEFAULT: Sets a default value for new rows in a column
  • FOREIGN KEY: Verify referential integrity of data in a table to match values in another
  • NOT NULL – Columns cannot store a NULL value (be empty)
  • PRIMARY KEY – Columns cannot store a NULL value AND values in rows must be unique
  • UNIQUE – Each row in a column must be unique

For example, the NOT NULL constraint would be defined as follows:

CREATE TABLE testingnotnull
(
telephonenumber int NOT NULL,
);

If you have an app sitting in front of a database, then use these with caution, as if SQL just terminates an operation your app might have unexpected integrity issues.

February 21st, 2016

Posted In: SQL

Tags: , , , , , , , , ,

How secure is your data on Bushel? Your data on anything is only ever as secure as your password. At Bushel, we take a lot of precautions to protect your data, including from ourselves. We time out your session, we encrypt your session on a per-transaction basis, and we encrypt your data while at rest on our servers (although consider it like the secure enclave in iOS, where we encrypt the data that needs to be encrypted – such as FileVault keys and activation lock bypass information). These basic precautions keep your communication with Bushel secure and prevent people from doing things like hijacking your session.

Read My Article On How Bushel Protects Customer Data On The Bushel Blog

August 19th, 2015

Posted In: Bushel, iPhone, JAMF

Tags: , , , , , ,

The Apple Watch is just another wearable with a limited feature set. In much the same way that the iPhone is just another phone. But they’re not. They have apps. And the apps are what make these devices so powerful. Installing apps on an Apple Watch is pretty straight forward. But before we do, it’s worth mentioning that there are two types. the first is a glance. This is just another view for an app that is on your iPhone that the Apple Watch talks to. The second is an actual app. These have more functionality and more options. There are also built-in apps that can be shown or hidden.

Apps are managed from the phone. To install either type of app, simply open the Apple Watch app on your phone. From there, you will see any apps that have either an app or a glance available on a device.

IMG_3508

Tap on an entry and you’ll see whatever is available for that app. New apps aren’t displayed on your Apple Watch. Use the slider to control whether it is displayed or not.

IMG_3509

Some apps have more options. If so, tap on the app and enable those options if needed. When you enable these apps, you’ll see the icon start loading on the watch, in much the same way that an icon starts to load on a phone when you purchase the app from the App Store.

IMG_3510

Also, some apps, when you download an update to the app, will even prompt you to install a glance for the app on your phone.

IMG_3511

 

The apps show up on right side of the default apps on the watch.

IMG_3647

Here’s the Nike app. This app only works properly when you open the app on the phone. It sits at a loading screen and only opens when the app on the phone opens. When it shows up, you can then do whatever the app is built to do. In this case, start and stop runs.

IMG_3648

That’s it. Straight forward. Just be patient. Takes awhile for Apple Watches to communicate with phones and to move data back and forth between them.

May 14th, 2015

Posted In: Apple Watch

Tags: , , , , ,

When I started to write this, I had this idea that I’d write an article that looked at the features and the usability of the Pebble and those of the Apple Watch. Both have the ability to load custom apps, both have app stores, both do many of the same other tasks, etc.

watch-dmPebble_Technology_Pebble_669108_i0

The problem with that premise for this article is that they simply aren’t even remotely comparable. Let’s look at why:

  • Apps: The Apple Watch can support apps and glances from apps. You can load as many as the thing can take, you can get different types of apps and there are already hundreds (if not thousands – I don’t have the patience to count) of apps that have support for the Apple Watch. The Pebble on the other hand is limited to 8 concurrent apps and I have never actually found more than 5 that I wanted to use that didn’t involve a watch face.
  • Watch faces: I don’t change watch faces really. Most of the apps on a Pebble are all about custom watch faces. Pick your favorite school, your favorite Disney character, etc. The watch faces available for the Apple Watch are great and all, but the default face, with instant access to the calendar, your exercise stats, the weather, and of course the time, are is really what the device is about and the best usability option, something Apple has always excelled at. It would be great if the other time zone option on the Apple Watch had some really cool stuff you could swap it out with. If you force tap on the screen, you can certainly select other things, but all the cool stuff is placed in other areas of the default watch face.
  • The screen: The screen on the Apple Watch is just a beautiful screen, with full color, lots of pixels, etc. The screen on the Pebble more closely resembles options from an Atari 2600. So, think Wii vs 2600 (aka e-paper)…
  • The app that manages the wearable: The Apple Watch app has in app controls for what’s available on phones, can configure which apps/glances are shown, unpair/re-pair, configure notifications, manage Do Not Disturb, put the device into Do Not Disturb mode, configure passcodes, manage sounds and vibrations, configure brightness and size. It’s pretty robust. The app for the Pebble does much less, but is on par given the features available on the device in general.
  • Light: The type of light emitted by the Pebble actually makes it a little easier to see in sunlight to me. But if you have sunglasses on then forget about it. Which I usually do when there’s a lot of sunlight. But this is a showstopper for some. Like those who (legitimately) still look for raised keyboards on phones…
  • Battery life: The Pebble kicks the crap out the Apple Watch when it comes to battery life. I’ve not charged my Pebble once in a week and it was happily camping straight into the next week. My Apple Watch must be charged daily.
  • Older iPhones: The Pebble can work on any iOS 6 compatible device (and up). The Apple Watch needs an iOS 8 device. So if you have an older phone, you’ll likely want a Pebble. Or take this as the opportunity to stop listening to 90s era Brittany Spears and upgrade your phone when you buy a watch.
  • App security: There are apps that can muck up a Pebble. This ranges from screen distortion to apps crashing. I tend to think that if an app can cause a device to crash then it could be intentionally designed to do more worser (yes, that was on purpose) things to the device as well. I could be wrong and haven’t spent any real time doing security research on the device, but it seems like a bad thing. Meanwhile, apps that go to an Apple Watch go through the App Store and so have at least some semblance of review.
  • Music Control: I like the Pebble more in this respect. It instantly sends commands to music on your phone. The Apple Watch always seems to be just a little bit delayed (not bad, but I can notice the delay). Having said that, the Apple Watch also has a Remote app, so you can also control music streaming out of computers onto Apple TVs.
  • Instant Messaging: The Pebble can show you messages. The Apple Watch can as well, but goes a step or 10 further and actually allows you to send voice messages, text messages, animated Emoji and even your heartbeat (which people keep creepily sending me – except that one guy who has none – but we all knew he was a lich so whatever on that).
  • Fitness: The fitness options on the Pebble are mostly from apps. The apps are a bit limited, but you can do a few pretty cool things. There are more built-in options on the Apple Watch; however, the 3rd party apps for Fitness tracking are pretty considerable and growing daily.
  • Pay for all the stuffs: Apple Pay isn’t the most widely accepted form of payment around, but it is gaining in popularity and pretty cool. Not sure if NFC is really going to be changing the world, but it might, and a wearable that isn’t specifically a fitness tracker is likely going to need it over the coming year.
  • Price: The Pebble can be $89. The Apple Watch starts at $350 and goes up to thousands (10 of ’em actually).

Overall, the Pebble is inexpensive. At 4 times the cost is the Apple Watch, which has less battery power but way more features. So it’s not Apples to Apples (no pun intended) to compare these. If you’re interested in a really inexpensive wearable and not worried about all the crazy features that come on them, check out the Pebble. But, the Apple Watch, as with many an Apple product, is very much worth the price tag. Unless you’re getting a gold one…

May 11th, 2015

Posted In: Apple Watch

Tags: , , , , , , , ,

Remember this comic:

Regrettably, password policies don’t allow for a few random words at most organization, so a special character, a capital letter and a number are basically required in most passwords these days. However, if you need a quick and dirty generator that includes a phrase and those additional characters, consider MyPhrase from Björn Albers. It’s simple to use, fast and easy. Good luck out there!

iPhone_6_Vert_SpaceGray_sRGB_0914

October 27th, 2014

Posted In: Mac Security

Tags: , , , ,

Mavericks Server comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the Server app (Server 3). To configure alerts in Mavericks Server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.

Screen Shot 2013-10-04 at 8.30.47 PM

At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Screen Shot 2013-10-04 at 8.29.40 PM

Click on OK when you’ve configured all of the appropriate administrators for alerting. Click on the Edit… button for Push and if Push notifications are not already enabled you will run through the Push Notification configuration wizard.

Screen Shot 2013-10-04 at 8.40.33 PM

Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Alerts have changed in OS X Server, they are no longer based on the SMART status of drives or capacity; instead Delivery is now based on service settings.

Finally, as with previous versions of OS X Server, Mavericks Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is org.net-snmp.snmpd, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is 192.168.210.99 in the following example):

snmpwalk -On -v 1 -c COMMUNITY 192.168.210.99

October 23rd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

There are a few ways I like to extend my battery life on my MacBook Air. These days, it’s increasingly important to conserve battery life as the transition to Mountain Lion (Mac OS X 10.8) has caused my battery life to spiral into so much of a vortex that I am concerned that my laptop must be shooting raw electricity out of the bottom (which would certainly explain why my hair has a tendency to be perpendicular with the ground when I exit a plane). Ever since moving to Mountain Lion (yes, this includes 10.8.2), I’m lucky to get 3 hours of battery life out of the Mac that used to give me at least 5 hours…

There are a number of tricks that I use to extend battery life. Some are obvious, such as dimming the screen, only using an app at a time, killing off menu items, temporarily stop Spotlight Indexing and killing off LaunchDaemons and LaunchAgents that I’m not using. I even used to used an app called CoolBookController to throttle my processor speeds while flying. But that doesn’t work as of Lion (certainly not in Mountain Lion).

One thing that I’ve been able to do that extends my battery life a little more (maybe an extra half hour) is to kill off Notification Center (I wrote about customizing Notification Center earlier here). I know, I know, it shouldn’t matter… But recently, a customer asked me to script disabling Notification Center. Since I’ve been killing it off with a script, this was a pretty straight forward task. It’s easy to disable Notification Center temporarily using the GUI. Simply click on the Notification Center icon in the menu bar and then scroll up to see the “Show Alerts and Banners” button. Click OFF or ON to toggle it off and on. As you can see, Notification Center then starts back up the next day.

To disable Notification Center from the command line, write a KeepAlive key that is false into the /System/Library/LaunchAgents/com.apple.notificationcenterui.plist like so:

sudo defaults write /System/Library/LaunchAgents/com.apple.notificationcenterui KeepAlive -bool false

Then, if you kill NotificationCenter off, it’ll stay off:

killall NotificationCenter

If you want to re-enable Notification Center, you’d just run the same with a true:

sudo defaults write /System/Library/LaunchAgents/com.apple.notificationcenterui KeepAlive -bool true

The easy way to then get it back is to reboot. Now, just for giggles, Notification Center is actually the /System/Library/CoreServices/NotificationCenter.app and in there lies the /System/Library/CoreServices/NotificationCenter.app/Contents/MacOS/NotificationCenter binary. If you open it, you’ll get multiple Notification Center icons in the menu bar. I’m not sure why I decided to try that at some point. But it’s kinda’ fun…

Ultimately, I travel with multiple MacBooks, so rather than toss one of them in a checked bag, or one destined for the overhead, I am temporarily just keeping a second 11 in the bag I keep under the seat in front of me for now…

October 22nd, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

I’ve mentioned the codesign tool in previous articles, but today let’s look at a specific use. I recently needed to generate a report of the executable for around 2000 app bundles. Luckily, codesign displays the executable for an app when run with the –display option:

codesign --display /Applications/Utilities/Terminal.app

The output looks as follows:

Executable=/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

Another tool that I haven’t written much about is productsign (also in /usr/sbin of Mac OS X 10.8). I’ll look at that one next, as a means of signing packages.

August 27th, 2012

Posted In: Mac OS X

Tags: , , , , , , ,

Cryptix is a nice little app available on the App Store that allows you to encrypt and decrypt files using a variety of algorithms. However, while an easy to use encryption tool, it’s actually an even better learning tool for figuring out how various types of encryption techniques actually work.

When you first open Cryptix, you’ll see a list of supported algorithms for encrypting files and passphrases. That part is simple enough, but click on the Tools icon in the toolbar.

Here, you’ll see a number of features along the sidebar, including Checksum, which performs a quick checksum of files dragged on top of the green arrow and tracks hashes, based on the algorithm you choose. Below that can be found more detailed information about interfaces, man page access and a few other things that show the developer was learning how to do a few neat things while writing the tool (such as using DNS from the tool).

Overall, the encryption and decryption aspects of this tool alone are worth the price on the App Store. The checksums are super fast. The other features are interesting as well. I don’t do a lot of app reviews, but this one unexpectedly caught me off guard as something I’d recommend.

July 9th, 2012

Posted In: Mac Security

Tags: , , ,

Next Page »