Monday, January 26, 2015

Clipboards and Passwords and Symantec and Encoding, Oh My!

There's been an interesting quirk in our SEPM server for...months, I think. It's one of those quirks that we find annoying, but our workarounds have been sufficient to the point that we ignored the problem. You know how it is...always something more pressing, and getting this to work was more or less an annoyance, not a showstopper.

We couldn't log into our SEPM server unless the password was pasted in.

Weird, eh?

The thing is that the person who normally logs into it is me. Like, 90% of the time. And we can log into the server itself, just not SEPM.

I'm on a Mac, so I use RDP to connect to our antivirus server. I'll call it AntivirusServer. I enter SuperUser and type in the password. SEPM replies that I have the wrong password.

I open my password manager, running on Windows in a Virtualbox VM, and display the password; it matches. I retype the password in the RDP session.

"WRONG. TRY AGAIN."

Clipboard sharing is enabled for both the VM/host and client/RDP session. I copy the password from the password manager, paste it into the RDP session and hit the enter key.

"GREETINGS PROFESSOR FALKEN."

Okay, maybe it didn't say that exactly, but you get the gist. Every time.

SEPM is basically a web interface to a Tomcat application (Apache/Java on Windows?...yeah, nevermind...) so I began to wonder if it wasn't doing something strange with the encoding of the password string. Maybe what I type in doesn't match the encoding of text pasted in!

So I asked on SuperUser how to determine the encoding of text. The first comment said it's not possible. Basically the encoding takes place within the application at the point where it's exported, saved or transferred, as per this answer on StackOverflow. It turns out that Clipboard does try to maintain some encoding, and from the looks of it an application can accept or translate input from the clipboard to some degree.

It may not inherently be incorrect, but the act of transferring it may cause some interesting side effects. But how can I tell what is happening in Clipboard?

Turns out ClipSpy provides a simple peek into what is in the clipboard.

I copied ClipSpy to the server and the workstation, then opened Notepad on my VM. Here's what happened when I copied it to the clipboard:

No password for you

What happened in the RDP session?

Well, that's different.

The content would look the same, but clearly the content is encoded differently. 

My guess is that somehow the Apache/Tomcat/servlet front-end is translating the pasted text differently from my manually entered password, and when I last changed the password (yet, they get cycled periodically) I must have entered it into the password vault first then pasted it into the change dialog to prevent typos. 

Yes. I introduced an invisible typo in the effort to prevent transcription errors.

I wondered what the application saves text into the clipboard as "natively." I entered some text into the username text box and copied it to the clipboard:


That certainly looks different.

That doesn't definitely mean that this is the type of encoding that the application is expecting or translating, but it does hint to me that it's more of a possibility that maybe the application is trying to be intelligent and accept a different encoding without translating a string to a "base type" when evaluating the password. 

In the end, I think this supports the theory that the application is caring about the inserted encoding, and doesn't force a string to be "just" a string of a particular encoding before comparing it to the stored password; my copy-pasty care may be the vector by which it became screwed up.

Whoops.

If anyone else can weigh in on this or provide a way to definitively prove if this theory is correct, I'd love to hear it!

Monday, January 19, 2015

Get Elected to the School Board, then the Kid's Untouchable

I had an interesting conversation with a teacher-type person the other day. It seemed to once again illustrate ways the school system is broken when you mix small town politics with education.

See, this teacher had a student misbehave. The student had a track record of misbehaving...not exactly setting fires in the classroom or pooping in the hallways type misbehaving, but the kind of track record of not paying attention and being a low-level disturbance in the classroom that some kids just seem to revel in. Teachers are expected to teach to the kids who at least pretend to give a damn about learning, so this student was ejected to the office, where we typically expect pain in the arse cases to go and be dealt with.

The teacher soon had a mysterious "You've been selected to go to classroom management class" an hour away from the district. Really coincidental timing, given that the kid had a parent on the school board.

Yeah, guess I forgot to mention that.

That seems to be a pattern I've noticed over the years. If you have a parent or some other pseudo-sponsor on the school board, you gain a "get out of jail free" card for your behavior. I knew of a teacher who often got away with insulting other teachers and students; quite unprofessional behavior. That person was moved around to other classrooms on more than one occasion within the district for offenses that I'm sure would have resulted in more severe consequences had they not had a school board relation; I've never heard of that school board member exercising any special privilege for their position, but it certainly seemed as if the administration in that district simply didn't feel like testing how far they could push the matter lest they incur potential wrath rather than doing their actual job and manage employees properly.

There are whispers among teachers in that district that if you have a student with a parent on the board, they are suddenly under increased scrutiny from administrators; performance and test content is questioned more quickly, and threat of having material ordered changed or performance (and competence) reviewed with more scrutiny seems to be more quickly doled out to educators assigned these little darlings. Teachers feel they should just give up in some cases; the students have an invisible smirk tattooed to their arm that gives them power over the classroom, since anything they do is apparently the fault of the teacher, not a parent who raised an entitled brat.

Keep in mind that this is also happening at a time when the school boards of all the schools in my area are currently fighting to keep the teachers from having actual employment contracts. Unfortunately, the school boards are populated by people with personal agendas and a very simple method of figuring out what to vote for and against; if it costs them more money in some way, they vote against it.

It's a simple but effective method that prevents the need for much thought. After all, most of the districts hired a lawyer to deal with contract negotiations on their behalf (yes, the lawyer is working for multiple local districts and pools knowledge of the various requests for their benefit...no conflict of interest there!) and refuses to actually give a straight answer as to how much they've spent using this lawyer.

The problem is the school board members who ran and are currently trying to squeeze every drop of workplace joy from the employees are the people who have only a simple, self-centered agenda. They don't contribute to the idea of "what can we do to create an educated citizen in our area?" They certainly don't give thought to creating a non-toxic work environment...see, for example, how they decided to post a news release insulting the teachers as a home page for their entire district. They have a simple idea...vote down anything that might cost them money or effort because public education is bad, and as school board members, they can choke public education and symbolically burn it in effigy to the citizens. As a side perk, when one of their children causes problems, the school board member doesn't hesitate to flex their influence and make sure it's the teacher's problem, not theirs.

For teachers it's yet another reason to give up on trying to actually teach. It's an environment where kids know that if they whine enough, administrators will give in, because parents are a pain but employees are easy to bully. Kid being a pain in the classroom? The teacher must not be engaging enough. It's never because Johnny is being a dick and his parents reinforce the idea that he's "just being a kid." It's because the teacher isn't a good enough performing monkey dancing a good jig in front of the room, being more of an attention-grab than the FaceBook update Johnny is sneaking under his desk on the cellphone he's not supposed to be using during school.

But if the teacher sends Johnny to the office for having the phone, Johnny will have it right back soon enough. It's not really worth the teacher's effort and lost classroom time having to send him down.

And why bother dealing with Johnny at all if it's just going to mean the teacher will be told it's their fault?

If Johnny has daddy on the school board, the teacher will surely expect a drop-in from a principal soon anyway. Because they lack classroom management skills.

It's better to just shuttle Johnny to the corner of the room and hope to keep his disturbances to a minimum while other kids try to concentrate on learning, making the environment a little more toxic for everyone.

And then we can wonder a little more about why the classroom experience is worse for everyone today while conveniently ignoring another obvious contribution to the problem.

Sunday, January 11, 2015

How to Flush Your DNS Cache

Happy New Year! I thought I'd start off the year with a quick reference post on flushing your DNS cache. This falls under the flag of "This shouldn't be a pain in the ass, but here we are..."

Sometimes your laptop switches networks and your DNS lookups don't follow. Sometimes something on the network decides to go wonk. Sometimes sunspots and planets align just right. At any rate, once in awhile the system needs to have name lookup cobwebs swept. Here's how to do it.

On Windows, use

ipconfig /flushdns

...from the command prompt. On Linux, you can usually use 

/etc/init.d/named restart

or

/etc/init.d/nscd restart

...depending on which one your system uses.

OS X is more fun because Apple devs insist on changing stuff periodically. For OS X 10.10:

sudo discoveryutil udnsflushcaches

On 10.9:

dscacheutil -flushcache; sudo killall -HUP mDNSResponder

On 10.7 and 10.8:

sudo killall -HUP mDNSResponder

On 10.5 and 10.6 (who's using those now?):

sudo dscacheutil -flushcache