What it costs to NOT run #CO2Fre

During the entire month of April, I only went for a drive a few times. Once was for my Earth Day demonstration. On that day, according to TeslaFi, I drove 6.01 mi / 9.67 km, using 2.64 kWh and reducing #CO2Fre‘s range by 11.11 mi / 17.88 km.

The other drives were when I took #CO2Fre to the Tyson’s Corner Service Center to have them investigate a squeaking sound when I turn in the rain on Tuesday, 31 March. I dropped of #CO2Fre and couldn’t pick her up for a week, which is why #CO2Fre didn’t charge from 1–7 April. The drive there took 12.32 mi / 19.83 km and used 3.14 kW. On Wednesday, 1 April, the service people test drove #CO2Fre for 6.00 miles / 9.66 km, using another 1.72 kWh. I could finally pick up #CO2Fre on Tuesday, 7 April, and burned another 2.74 kWh on the 10.84 mi / 17.45 km trip home.

Other than that, I didn’t drive anywhere and apart from testing, and testing, and testing my DashCam, I didn’t even approach #CO2Fre.

What’s more interesting is the amount of vampire power #CO2Fre uses. For the entire month of April, which is to say 23 March–22 April, which is my billing cycle, I used 39 kWh of electricity. Since the driving only used 10.24 kWh, at least 28 kWh was burned in idle usage and the occasional climate control.

Though this may seem mysterious, I do know exactly where and when #CO2Fre is drawing current thanks to Dominion’s smart meter. I have over ten years of data, in thirty minute increments, collected in a Google Spreadsheet.

Day01:0001:3002:0002:3003:0003:3004:0004:3005:0005:3006:0006:30Super-Off PeakOff-PeakOn Peak
Mon 23 Mar0.30.00.00.00.00.00.00.00.00.00.00.00.30.00.0
Tue 24 Mar0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Wed 25 Mar0.02.60.00.00.00.00.00.00.00.00.00.02.60.00.0
Thu 26 Mar0.30.00.00.00.00.00.00.00.00.00.00.00.30.00.0
Fri 27 Mar0.00.20.00.00.00.00.00.00.00.00.00.00,20.00.0
Sat 28 Mar0.00.20.00.00.00.00.00.00.00.00.00.00.20.00.0
Sun 29 Mar0.00.20.00.00.00.00.00.00.00.00.00.00.20.00.0
Mon 30 Mar0.50.00.00.00.00.00.00.00.00.00.00.00.50.00.0
Tue 31 Mar0.20.00.00.00.00.00.00.00.00.00.00.00.20.00.0
Wed 1 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Thu 2 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Fri 3 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Sat 4 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Sun 5 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Mon 6 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Tue 7 Apr0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.0
Wed 8 Apr5.75.84.60.00.00.20.00.00.00.00.00.016.30.00.0
Thu 9 Apr0.60.00.00.00.00.00.00.00.00.00.00.00.60.00.0
Fri 10 Apr0.50.00.00.00.00.00.00.00.00.00.00.00.50.00.0
Sat 11 Apr0.20.00.00.00.00.00.00.00.00.00.00.00.20.00.0
Sun 12 Apr0.00.20.00.00.20.00.00.00.00.00.00.00.40.00.0
Mon 13 Apr0.00.20.00.00.20.00.00.20.00.00.20.00.60.00.2
Tue 14 Apr0.40.00.00.00.00.00.00.00.00.00.00.00.40.00.0
Wed 15 Apr0.40.00.00.00.00.00.00.00.00.00.00.00.40.00.0
Thu 16 Apr0.00.20.00.00.00.00.00.00.00.00.00.00.20.00.0
Fri 17 Apr0.80.00.00.00.00.00.00.00.00.00.00.00.80.00.0
Sat 18 Apr0.40.00.00.00.00.00.00.00.00.00.00.00.40.00.0
Sun 19 Apr5.72.20.00.20.00.20.00.20.00.20.00.28.50.20.2
Mon 20 Apr3.10.00.00.00.00.00.00.00.00.00.00.03.10.00.0
Tue 21 Apr2.00.00.00.00.00.00.00.00.00.00.00.02.00.00.0
Table 1: Time-Of-Use Data for the month of April 2020

However, even with this low fuel usage, I still get a bill every month from Dominion Virginia Power. This is because, even if I used no electricity, I have to pay Dominion for my Time-Of-Use Smart-Meter. This allows me to charge between 01–05 in the morning for dirt cheap electricity. The base rate for this service, in a two meter household, is $2.73, so my fuel always costs at least that, even if I don’t use any electricity.

The final tally was for all that was $5.42 for just 35.17 mi / 56.60 km of driving.

I hope to spend more kWh cruising upon a cloud again soon.

Microsoft Teams is not quite the Team Player we thought

The folks at CyberArk uncovered a new vulnerability in Microsoft Teams. In Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, they investigate a serious security hole in Teams that could threaten your organization and provide access to confidential information. Fortunately, Microsoft has, in theory, patched this vulnerability thanks to locking down any vulnerable Microsoft Teams servers.

This is a startling development considering how I’ve had to defend Zoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.

The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.

Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.

The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.

Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.

Below, you can watch a video of how this attack might actually work.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | CyberArk

So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.

TeslaOS 2020.12.5, or so I’m told

Thursday, I was so busy with updating my Science Book Club book nominations list, which I will discuss Friday, that I forgot to transmit this piece on time. I have, however, fixed the release date to correspond to when it was relevant.

That out of the way, I am very excited about TeslaOS 2020.12.5. Well, I would be if I could access #CO2Fre. Unfortunately, I am disallowed from entering #CO2Fre because of fears that, after the scam service from last week because someone things everything in the world has SARS-CoV-2.

One thing I hear is that you can now view your Dash Cam on the big screen. So, what? I’ve been struggling to find the right and reliable USB storage device that can allow me to sync my recordings to my capacious Google Drive but am completed paralyzed when it comes to finding a replacement for my original, failed device that stopped working many months ago. I just wish there was an out-of-the-box solution that didn’t require external DC Power.

And I still haven’t figured out what Game Controller to get. If only there was an official list of supported devices.

As for actually stopping at Stop Signs and Stop Lights, that’s yet to be seen. I’ve not seen it mentioned on any sites about TeslaOS 2020.12.5, so I’m dubious it has that.

But, I guess I’ll find out next week.

All this is bad enough it it weren’t for the fact that I was originally scheduled to give a demonstration of my Tesla #P㆔D and all the new capabilities of the vehicle this weekend with the RVA Electric Vehicle association meetup on Saturday. I’m really hoping to switch this to next week as if we hold it on Saturday, I will be presenting #CO2Fre without #CO2Fre!

But at least there’s TeslaOS 2020.12.5, in theory.

TeslaOS 2020.12.5
Apparently, #CO2Fre is now running TeslaOS 2020.12.5. Unfortunately, I have no way of verifying this in the automobile or see what’s in the update as I’m prohibited from entering my vehicle until next Saturday because of unfounded fear of SARS-CoV-2 infection.

Still waiting to return to cruising on a cloud…

I Am Irate

Google ate me email

From about 2020-03-23T14:30:00Z (10:30 am, Monday) to about 2020-03-23T23:30:00Z (7:30 pm, Monday), Google was redirecting all my email and either bouncing it or deleting it.

I Am Irate
Too angry for words!

Let me repeat, google deleted or bounced my email for Nine Hours, as a part of the setup of my setup for a paid Google Apps account. The setup for these accounts are a bit weird. They require you to create a new google entity with your own company URL. Fortunately, I have multiple domains I own and maintain, including this one, TimeHorse.com.

I probably should have used my writing group domain, RestonWriters.org. After all, the whole reason I wanted to get a paid Google account is because Meetup was moving to Online-Only meetings, following the outbreak of SARS-COV-2, and I needed a tool that allowed for video conferencing.

Skype was a non-starter. For one thing, it’s great for person-to-person communications, but for group chats, it has this annoying habit of muting everyone except the current speaker and you have to wait until that speaker stops to get a word in edgewise. My understanding is WhatsApp has the same problem.

Meetup actually suggested using Google Hangouts or Zoom. I happen to like Zoom. I use it for my regular NPVIC Grassroots strategy meetings and for Toastmasters and it’s always worked great. Zoom does support up to a hundred participants, both free and Pro. The only problem is, each of those Zoom sessions are either limited to the free forty-minute block or are using an up-to-24-hour Zoom Pro Account. Since most of my Meetups are at least an hour, breaking meeting up into forty-minute chunks would be tedious. And, at $14.99 a month, the professional account is well out of my price range.

Just before the first week of Virtual meetings began, my writing colleagues and I, including Elizabeth Hayes, who runs The Hourlings, tested both free Zoom and Google Hangout. Despite being limited to ten people, we decided on Google Hangout and I mapped it to our official Virtual Meeting URL.

Ten people worked fine for Reston Writers and for the Saturday Morning Review. The Saturday Morning Review actually worked out quite well because Meetup, despite suggesting we move to a virtual platform, still won’t let you delete the venue from your event and mark it as virtual, which, when editing events can cause some confusion. But when the Library cancelled all our events, I just deleted them all from the Meetup Calendar, and recreated them with no Venue and just announced them as occurring in Cyberspace.

Stay with me folks, I’m getting to the email…

As Sunday approached, I new ten participants wouldn’t be enough. Google Hangout would be fine for Bewie Bevy of Brainy Books and Saturday Morning Review, and likely The Science Book Club, as they all usually have fewer than ten participants for each meeting. The Hourlings, on the other hand, often had twelve, and sometimes as many as sixteen!

I new Zoom was $14.99 a month, but I read that Google App accounts could up the number of participants to twenty-five. Unfortunately my 2TB Google Drive account didn’t qualify. I had to get a Google Apps account.

And that’s where my troubles began.

At first, I could only sign up for the $12 per month account, even though I’d read it could be had for $6. Since the setup has a fortnight trial period, I didn’t worry about the financial discrepancy. I set up the account with my business email address for TimeHorse, LLC. I associated it with with that email, it connected to my Gandi Registrar, and my account was ready to go. I created a Google Hangout and assigned it to the Virtual Meeting URL, hoping it would allow twenty-five. The plan was to use it with the Hourlings to verify that fact.

It failed! We still could only get ten people into the meetup despite it being a paid account.

Unfortunately, since Monday I’ve been on Weather and Safety Leave from work because my Telework agreement was revoked, but that’s a story for another day as this post is long as it is! However, it did allow me to speak to Google and they suggested I try Google Meet. Meet was included with all Google App paid accounts, and it would allow for up to a hundred people and could be as long as I needed. Also, I could downgrade to the $6 per month account and I would still be able to use it. I thus downgraded.

We tried it with Reston Writers Review and it worked wonderfully. We had up to twelve connections simultaneously! But I’m getting ahead of myself.

At around 10:30 am, that Monday, after chatting with Google, I was examining my Google Apps account more closely. It was telling me I had one last step I needed to complete: integrate me email with Gmail.

Stop
Stop, do not pass Go. You’re done!

That’s when my troubles began. You see, what this innocuous, turn-key step says it does is it says it sets up GMail for your company. What it actually does is obliterate all the MX Records (email routing information) of your DNS (Internet routing information) Zone File (routing configuration file) on Gandi and replace it with MX Records that point to Google. The setup wizard doesn’t actually tell you this and I’m totally oblivious.

At current writing, I have 188 forwarded email addresses set up on Gandi with their MX Servers. One of those is my business email, the one Google took over and is my Google Apps login. That’s the email google set up as the official email address used in GMail. Once the GMail setup goes through and I send an email from the GMail interface to my personal email address on the timehorse.com domain.

It never arrives. All day long, I watch my email and, strangely, nothing arrives after 10:30 in the morning. I refresh and refresh, and it’s still nothing. Where have all my emails gone?

It’s not until I’m setting up for Reston Writers that I decide to contact Google about this. I’m crazy-busy setting up the Google Meet, opening up the pieces we’d be reviewing on my computer, and, simultaneously, chatting with Google, trying to figure out why I’m not receiving any email.

Eventually, Google Tech Support starts talking about MX Records and a chill runs down my spine. As you probably gathered by now, I am well versed in DNS records and Zone File manipulation. I even have a Python script which updates my DNS A Record when the IP Address for this server changes.

With trepidation, I logged into my Gandi account and saw the damage. Google had modified my Zone file and added a bunch of strange new MX Records pointing to Google. They had nuked all my Gandi Email forward since they’d redirected all email traffic to google. As google only had one account registered on the domain, timehorse.com, namely my business email address, every other email address I possessed was either being deleted or bounced by google!

Fortunately, Gandi’s Email Forwarding page provides a warning when the Zone file doesn’t point to their email server, listing the correct MX Record settings to use Gandi as the mail hosting server. I quickly commented out the Google MX Records and pasted in the Gandi MX Records around 7:30 pm, in the middle of my Reston Writers meeting.

Needless to say, I was miffed that I could not give my full attention to my writers during our weekly writing gettogether. But it’s good I finally did figure out the disastrous actions committed by Google after only nine hours, and not a day or more.

I may never know what was contained in those nine hours of lost emails. I suppose there is one blessing, though. I get too much email already and still have dozens of unread messages I’m desperately trying to catch up on. One Covidapolis, novel-length email after another from every business under the sun. STFU companies, you’re all doing the same thing and I don’t like reading the same message again, and again, and again! You have a plan, that’s all I need to know!

Maybe Google was doing me a favor?

In the end, I was able to solve the problem because I got skills and I’m available for hire!