Tuesday, December 28, 2021

So Much To Know...

I once spent an inordinate amount of time with a friend of mine, who I consider to be a master of recording & sound engineering.  He has been at it for decades, paid his dues, and worked with some greats.  He executes his craft with the utmost care and caring... (something I have come to realize is what separates the true pros from the learned hacks). Anyway, I remember watching him in do his thing in the studio as I assumed the role of a quiet observer.  Despite his obvious adeptness and ingenuity, he would always play the part of the  Absent-Minded Professor, as opposed to the James Bond smooth-operator type.  I think it was partly a schtick to make people feel more at ease, but there was a genuineness and willingness to be vulnerable, as though allowing himself to be human probably made the job less fatiguing.   I distinctly remember my favorite phrase of his.  On a couple of occasions, while turning knobs and fixing some problem, in a wonderous voice he would declare, "so much to know..." 

It's stuck with me because it's true about so many things, no matter how much of a master of your craft you are - there is always more to know.  So much more.  I've worked in IT and done various software development for about 30 years now, and yet that's been the theme for me lately - as I try to wrap my head around newer (to me) concepts such as containerization, full stack application development, and more.  I should have started learning these things about 10 years ago, so I have to play catch up.  But it's enough to make me feel old. 

Anyway, follow along as I may post some perspectives on (but not limited to) the following concepts, as I learn them:

  • React/Mongoose/MongoDB
  • Python/Flask/PyMongo
  • Docker
  • Kubernetes Clusters, K3S for high availability scalability, management thereof
  • Tying all this together: MicroSaaS development and deployment

Wednesday, September 22, 2021

RANT TIME: Why do replies to a message I sent go to my spam folder?

Despite what one would think/hope, sending a message to a given address does not inherently give Google a high confidence that a reply from this address is expected (and, for example, that it should bypass spam checks). I have confirmed with Google's tech support that there is no way to automatically have this happen. The user can do the following:

1. Add the address to your contacts list in Gmail.

2. Check spam folder for replies, and mark it as "not spam" if something ends up there, which should influence the fate of future replies received. I can also approve an address at the domain level, i.e. if it is a big vendor or similar. I've had to do this with several of our Chinese vendors. I regularly ask engineering and purchasing to give me a list of the supplies we deal with, so I can approve them as a preventative measure.

For what it's worth, all of the false positive instances of reply -> spam we have experienced have involved the sender's email server having a problem. In the most recent case, it appears that the sender IP address appears on at least two internet blacklists. Since that is beyond my control, but we are trying to do business with these people, I can only add the domain to the approved senders list so that future replies from them should bypass the checks. However, if another company with a problematic email server replies to one of us, their message could very well still end up being marked spam.

Since Google can't help us, I am trying to figure out some kind of human process to defend against this, but to getting to a 0% false positive rate looks kind of ugly.  One idea I had is to make a script that is invoked when a user sends a message, and somehow adds the recipient address  to their contacts and/or some sort of approved sender list. 

Has anyone done this?

Thursday, May 27, 2021

Windows 10: Get rid of Microsoft Teams Auto Startup (from a script)

Situation:

You have installed Microsoft Office on your computer.  Whenever you logon to the computer, you see a Microsoft Teams splash that asks you to login, which you have to close every time if you choose not to login.

Possible remedy:

You can go into task manager, click the "Startup" tab, click Microsoft Teams, right-click and disable.  However, this doesn't work permanently as it will come back if you update or reinstall Office.  Also, other users who login to the computer will still get the Microsoft Teams thingy loading automatically at startup.

"Real" fix:

Add this to a user logon script, such as your domain logon script*:

REM Delete Microsoft Teams Auto startup reg key 
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "com.squirrel.Teams.Teams" /f

That second bit is all supposed to be on one line.

*if you don't have a domain logon script, you can just put this in a .bat file and stick into 
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Now every time someone logs in, the Teams startup will be automatically removed, so that will be the last time they see it.

Monday, March 15, 2021

Scammers can bypass your Google Workspace Safety Checks

A major source of headache for system administrators these days, and has been for some time, is the uptick in phishing messages that fake the sender address so it appears to be from someone within your organization. If you are like me, this is one of the things that keeps you awake at night. Organizations using Google Workspace can take advantage of a safety feature that purports to prevent this from reaching users. You can access its settings from within the admin console under Apps->Gmail->Settings->Safety.




Unfortunately, there are still a ton of legit e-mail servers that don't authenticate, so that safety feature is not going to be very helpful.  However you can enable the checks that detect someone trying to send a message with an employee's e-mail address, your domain (or a variation on it) or even an employee's name.  These are very common attacks, and such checks regularly prevent nefarious messages from reaching our end users.  

The problem is, due to a poorly-planned filter architecture on Google's part, this whole mechanism can be bypassed, allowing a spoofed message to end up in a spam queue that is managed by an end-user.  

Google Workspace Filter Architecture places spam filters and queues ahead of "safety features" such as spoof checks.

As you can see in the diagram above, the spoof checks are effectively circumvented when they are sent to a group.  A moderator will see the message in the group's spam queue, AKA "Pending messages".  If they approve the message, it will then go through the safety checks, but by then the group manager has already seen it, and may act on it.

Thursday, February 04, 2021

Cordova-plugin-ble-central without BACKGROUND_LOCATION permission

Happy New Year.

I have been developing a Cordova app on Android that uses Bluetooth Low Energy (BLE).  To accomplish this, I have been using Don Coleman's cordova-plugin-ble-central.  This is a neat plugin with a pretty simple API that lets you do serial communications over BLE. It is compatible with both Android AND iOS.  It's installable with NPM, but I recommend you get it directly from his Github.  The one on NPM seems to be broken on newer Android devices.  The issue  is that Google now requires ACCESS_FINE_LOCATION permission if you are using bluetooth, and the one on NPM is older and hasn't been updated to request this permission.  But that's not really what this post is about.

My app is essentially a remote control for a light.   All I am trying to do is communicate over bluetooth when the app is in the foreground.  However, the Don Coleman plugin demands the BACKGROUND_LOCATION permission (presumably this would be required if I was trying to continue to send/receive data notifications while the app is in the background).  The problem is that this permission comes with some fairly hefty declaration requirements if you are trying to get your app into the Play Store.  For example, you have to make a video demonstrating the feature in your app that makes use of this functionality.  As I stated earlier, I have no such feature so it will be impossible for me to get my app to pass review.  

The only solution I could see was to fork Don's plugin and remove the BACKGROUND_LOCATION permission.  So far it seems to work.  If you have a similar problem, perhaps you can benefit from this version of the plugin as well.  A couple of things:

  1. In case it doesn't go without saying, if your app is in the background, you will not be able to do Bluetooth communication using this version of the plugin.
  2. I have only made changes to the Android side. I don't know if the iOS side still somehow requests BACKGROUND_LOCATION permission.  If it does, I will ultimately need to address that as well since my app is going to be available for both platforms.

So here it is: High Tech Harmony's cordova-plugin-ble-central without BACKGROUND_LOCATION

To use it, go to your Cordova build folder of your project and do the following:

(only if you have Don's plugin already)
cordova plugin remove cordova-plugin-ble-central 

cordova plugin add https://github.com/HighTechHarmony/cordova-plugin-ble-central

cordova clean android

cordova build android