Jeffrey’s Jammin Birthday Bash

Join me to find out how I like my new job, the exciting plans I have for the upcoming year, and so I can give a personal thanks for your personal friendship!

Please note, the official start time is 20:00 because I want to make sure not to start it before I finish my first full day of work at the new job. If I finish sooner, I will open the room earlier. This is, after all, an exciting time for me. My first new job in 18 years, and the first of four steps on the route to make me a better man, and much, much happier!

This event is opened to everyone who claims to know me! All of my software colleagues, all of my fellow authors, fellow science readers, fellow Doctor Who fans, fellow cosplayers, fellow Electric Car drivers and enthusiasts, all of my Equal Rights Amendment sisters and brothers in arms, all of my National Popular Vote Interstate Compact supporters, all of my avid gaming friends, all of my friends abroad except those in Europe—have your kip, mates—all of my fellow Toastmasters, all of my fellow aviators, all of my fellow musicians, tous mes amis qui parle français oder Deutsch или по-русский o italiano, my acting friends and my friends who eschew meat!

The only thing I ask is you be respectful, kind, and know that I hope you all consider any friend of mine a potential friend of yours!

There is a password to this event. It’s not hard to guess if you know me but if you want to know, and you are reading this on from Twitter, message me, on Tumblr, message me, on LinkedIn, again, message me, or join me via the Facebook event. Or, just comment on this blog, with your email address, and I will mail it to you.

See you all next Wednesday!

Account does not enabled REST API.

When Zoom Fails, Google Meet to the rescue

This morning, I had set up The Hourlings on Zoom early, before I went to bed, hoping, if I ran late, the meetup would already be set up, Marty would be early, and I could make him co-host in case I still needed time to read before we began at 10:00.

Instead, to my delight, my friend Cynthia was the first to log in around 09:30 and we had a few minutes to chat about life and her adorable Clove. I really admire Cynthia, or Max as she’s sometimes called. She writes some great LGBTQ literature and is a great guide of conscious for me. She’s also an ex-Marine. Sempre Fi, my friend!

Unfortunately, we couldn’t get her video working, so, thinking that it would be as simple as restarting the meeting, I did just that. She promptly requested to rejoin and I accepted, looking forward to continuing our conversation.

It failed.

We tried again. No dice. I created a new Zoom event. That didn’t work. I asked the account owner to try. Still no success. It was already 10:00 and almost everyone was waiting to get in. I accepted them all, but none of them could connect.

Finally, our unofficial moderator, Evan Friedman brought up an instance of Microsoft Teams. He, Marty, and I verified its feasibility a while ago, so I knew it could work and joined the Teams meeting. The nice thing is now Teams allows virtual backgrounds, which was cool. But, unfortunately, Teams was as wickedly hard to invite people into as before.

Meanwhile, Marty set up a Google Meet account. Back when we tried Google Meet before when I created a Google Apps account. Back then, you had to pay for a Google Meet account by having a Google Apps account, and the Google Meet didn’t have a grid view, however, it already accommodated a lot of people.

In the end, we went with Google Meet and decided to make that Meet event out official backup for whenever Zoom misbehaves again, though we shall still default to Zoom. Unfortunately, my nightmare hair isn’t hidden by Google Meet’s cameras like it is in Zoom, so I must have looked atrocious today. I wish the Hypochondriac would let me use my hair trimmer.

Google Meet
Google Meet

We found out during the meeting that we weren’t the only ones straining for Zoom capacity. Fortunately, there is a Zoom Status we can check the next time this happens, so we’re not left trying so hard to beat a dead TimeHorse. And the Zoom system was back up, just in time for us to finish our meeting.

Unfortunately, because of all the kerfuffle and notifications, I missed a 13:30 Zoom I was planning to attend. But at least I got to hang out with my fellow writers. Thank you for reading, and I should now get back to writing.

Microsoft Teams is not quite the Team Player we thought

The folks at CyberArk uncovered a new vulnerability in Microsoft Teams. In Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, they investigate a serious security hole in Teams that could threaten your organization and provide access to confidential information. Fortunately, Microsoft has, in theory, patched this vulnerability thanks to locking down any vulnerable Microsoft Teams servers.

This is a startling development considering how I’ve had to defend Zoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.

The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.

Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.

The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.

Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.

Below, you can watch a video of how this attack might actually work.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | CyberArk

So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.

Let the People Pick the President

The Case for Abolishing the Electoral College

Today, my good friend Eileen Reavey hosted a chat with Jesse Wegman, author of the new book Let the People Pick the President on Zoom and the official Facebook page (as opposed to my Grassroots page). Jesse layed out the reasons why we have the Electoral College and how states choosing how to interpret Article II, Section 1, Paragraph 2, as Amended hasn’t always been Winner-Take-All.

Jesse goes on to point out how Compacts only need Congressional Review when they violate Federal Supremacy. This is one of the major arguments we face when defending the NPVIC. Along with the misconception that in most states where are not battlegrounds, your vote doesn’t count now, so under the compact you aren’t decreasing the power of your state, you’re increasing the power of your state’s voters.

Another good point is how non-partisan this issue is. When you put all your eggs in one proverbial basket of battleground states, you end up with a system that more subject to the whim rather than reflecting the will of the nation as a whole. We know, for example, that voter turnout for President is up to 11% higher in battleground states than it is in non-battleground states.

Finally, we touched on the tangential issue of Ranked Choice Voting. The thing that folks don’t understand is any issue with the Spoiler Effect inherent in the NPVIC exists in the Electoral College as well. The NPIC isn’t trying to remedy that issue and that issue is much better approached by promoting Ranked Choice Voting as well as the National Popular Vote Interstate Compact for the reasons Jesse so eloquently outlines.

Webinar with Jesse Wegman

Webinar with Jesse Wegman and Eileen Reavey

Posted by National Popular Vote on Thursday, April 23, 2020

I greatly admire Jesse for making the effort to write a wonderful book and to take the time to speak with Eileen. He and I may disagree on how best to end Gerrymandering in Virginia, but I’ll save that argument for another day. Right now, let’s work together to ensure One Person, One Vote where Every Vote is Equal. Ask your state governments to pass the NPVIC today.

Meet Virginia’s next Governor!

I was delighted to see Delegate Jennifer Carroll Foy at today’s Herndon-Reston Indivisible meeting on Zoom. I first met Delegate Carroll Foy during my many years of trips to Richmond to lobby for the ERA. And Jennifer has been one of the best advocates we’ve had in the General Assembly. She has been a wonderful orator who gave an incredible speech in favor of the ERA last year as we were fighting for the ERA. And in the 2020 session of the General Assembly, it was Jennifer who submitted HJR 1, the ERA bill.

I was, of course, there on 27 January 2020 when Jennifer held a press conference announcing that would be the day both chambers of the General Assembly would be voting on the legislation passed by the other chamber and thus ratify the ERA in Virginia, making us 38 and the last state needed for passage.

Delegate Jennifer Carroll Foy
Here I am with Jennifer Carroll Foy on 27 January, 2020, the day we—finally—passed the ERA! This was just before her press conference to announce that both chambers of the General Assembly would be voting on the other chamber’s resolution and it was a race to see who would pass it first. I was confused and didn’t get to the gallery in time (which is why I’m not in the photo on the stairs), but a bunch of us watched the House of Delegates debate and when I went out to powder my nose, I peeked in on the Senate and saw they were debating Jennifer Carroll Foy’s HJR 1. We did it, my friend!

Unfortunately, after the press conference, I got a little lost so wasn’t able to make it to our amazing photo on the stairs that day. Instead, I made my way to the House and Senate conference rooms where the General Assembly was being broadcast. I joined some of my fellow ERA advocates in the House Meeting Room 3. The House of Delegates was busy debating a number of bills and eventually I needed to use the facilities.

On my way back, I peeked in in the Virginia Senate in Senate Meeting Room 3. They were debating Jennifer’s HJR 1! I rushed back to the House Meeting Room and let everyone know it was happening in the Senate. We all rushed over and watched it live, as it happened. As Virginia became the 38th and final state to pass the ERA. We did it! We made history! And, all thanks to Jennifer’s HJR1!

As my readers know, I have long advocated for the adoption of the Equal Rights Amendment, but I am happy to hear Jennifer supports many of the other issues I care deeply about. That is why, without hesitation, I am happy to support Jennifer as she announces her bid to become the next Governor of Virginia!

Be well my lady and gentlemen friends!

The Green Card

A Timer Most Colourful

Today, I will be the official Timer for tonight’s Loudoun Toastmasters. Last time, I was on hold to do an Evaluation but the speech maker was ill so instead I was instead without a role. On the upside, it gave me time to consider using my Zoom background to enhance the effect of the Timer role. I was therefore anxious to try it out as soon as possible.

Originally, my dear friend Capt. Laura Savino was planning to be Timer, but, since SARS-CoV-2 she’s been busy hanging out with her wonderful boys as she’s hunkered down, sheltered in place. Hope to see her again after Covidapolis is over. But, in the mean time, for tonight, I’ll be stepping into her role.

The role of the timer is to time how long speeches are and to indicate when time is running out to the speaker. Each speech has a minimum time. When that time is hit, I indicate success with a green background.

The Green Card
The Yellow Card in Toastmasters means you’re met the minimum time requirement

Next, when a speaker is half-way through her or his allotted time, I flash the yellow background.

The Yellow Card
The Yellow Card in Toastmasters means you’re half-way through your allotted, acceptable time

Finally, when the speaker is out of time, I flash the red background. At this point, the speaker has thirty seconds to wrap up or be disqualified because his or her speech ran too long.

The Red Card
The Red Card in Toastmasters means you’re out of time

I time all speeches, which range from 5–7 minutes for a standard speech, 4–6 minutes for an Ice Breaker speech, 1–2 minutes for a Table Topic speech, and 2–3 minutes for Evaluations.

It all happens tonight. Stand up straight and deliver my friends!

Electric Cars from near and far

At today’s EVA/DC meeting, we used Zoom to connect with our fellow Electric Car enthusiasts both news and old. I’ve been part of the EVA/DC for ten years and there have been many friends I’ve made through my time there. It was great seeing so many longtime friends once again thanks to the EVA/DC Zoom chat.

Some on Facebook complained that using Zoom for the EVA/DC meetings was insecure. But, as I’m literally a professional white hat hacker, I knew all too well the early and unfounded FUD against Zoom and what it is and is not appropriate for, and how it’s improved. Though I’ve written about it at length, the short answer is: secure enough for EVA/DC, not secure enough for COMSEC TS/NOFORN. Nobody is talking about issues of national security, so please, come join us on Zoom!

My good friend and fellow Eclipse enthusiast, Scott Wilson, shared with us an invitation to the Drive Electric Earth Day event with Plug-In America. The Drive Electric Earth Day Tribute: EVs Making a Difference will occur on 22 April, at 14:00 EDT / 11:00 PDT. You can RSVP here. I should put a disclaimer here that I have asked to be nominated for Plug-In America’s Drive Electric Awards this year, but to be honest, I don’t think anyone nominated me so no worries about a conflict of interest.

Then my longtime friend Eric Cardwell in Tennessee showed us his burgeoning Drive Electric Tennessee page and his new logo. Of course, we wish him well and hope when he’s got it set up to maybe attend one of his meeting on Zoom. Your logo’s looking sharp, my friend!

But the pièce de résistance has to be seeing my longtime friend and first Smart Electric Drive (Smart ED) owner in the US, LTC Mindy Kimball. She shared with us this classic clip from Dan Rather Reports.

Brava Mindy! Was wonderful seeing you again and getting a glimpse of this blast from the past. And you know, though it’s not exactly the same Smart ED owner, her current Smart ED is now driven by the young man in the videos. Look how far we’ve come!

Finally, I would be remiss if I didn’t invite all of you to join me this Saturday on Secure Zoom where I will be presenting #CO2Fre. Please, come cruise the cloud with me.

When Zoom Online fails, phone it in

Today, at Reston Writers Review, we had a major Zoom snafu. One of our writers was having a dickens of a time trying to communicate through the Zoom interface when we were reviewing her piece. We had a similar problem on Sunday with The Hourlings but were able to solve that with the person being reviewed just shutting off her video and only using the microphone.

Today, even that didn’t work. One member had to leave the meeting, the connection was so bad and even when the woman being reviewed turned off her video, her voice was still astoundingly choppy.

The only thing for it was to use the backdoor option provided by Zoom: the telephone interface. I hastily logged into the Zoom account provided to me, copied the full meeting info from the Zoom side—including the dial in numbers for connecting to Zoom on the telephone—and, finally, our author was back in the meeting.

Overall, it took about 10 minutes for us to fix all the difficulties listed above, but fortunately we only had five more folks who wanted to give their review, and we were still done by 21:00, our normal meeting end time.

All in all, it was a great and successful meeting despite the glitch. It’s more than likely Internet bandwidth is getting frayed due to an upswing in online meeting. But we adopted and adapted, and improved, just like the motto of the round table suggests.

Thank you for reading!

An Electric Ford Model T?

My good friend Charles Gerena is organizing a special Zoom event on Meetup where we get to meet the owner of a Ford Model T. Now, if you know anything about the old Ford cars, their engines were only built for about 25,000 miles. After that, you’d have to rebuild the engine, replacing worn parts from a very limited supply, and build it back up again for the next 25,000 miles. As I do almost 25,000 a year in #CO2Fre, that’s not much driving for me at all.

So, why, you may ask, am I promoting a Model T Meetup? Simply put, this is no ordinary Model T—this Model T has been electrified! Today, we are going to learn how the owner converted his classic Model T into an electric car, complete with batteries and electric motor. I hope you can join us!

1914 Model T Hack
Electric Cars aren’t always OEM, sometimes they’re converted. Here in Virginia, someone has converted a Ford Model T into an electric car!

Although I’ll not be cruising on my cloud to get there, hope to see you today at 14:00 EDT!

Meetup Online: It’s Okay to Zoom

As an Internet Security professional, I have heard some folks expressing dismay over various security issues in the Zoom video conferencing package and the MatterMost chat services. I may do a piece on MatterMost at a later date, but for now I want to focus on Zoom because Zoom is what Meetup is suggesting as one of their preferred video conferencing platforms. (The other, Google Hangouts, is limited to ten people and thus isn’t practical for a number of the meetups I run.)

The thing is, many of the earlier security issues which plagued Zoom at the beginning of the recent surge in online meetings have been solved. Tom’s Hardware wrote a very insightful analysis of these issues in a recent article by Paul Wagenseil, Zoom privacy and security issues: Here’s everything that’s wrong (so far).

Most of the issues covered have already been patched, such as UNC password theft under Microsoft Windows. This was a rather insidious security flaw but fortunately the folks at Zoom stepped up to the plate and patched.

iOS profiling also seems to be fixed. Since I do a lot of my Zoom conferencing, with the National Popular Vote Interstate Compact grassroots coalition, on the iPhone, this has been a great relief. Now, though, I do most of my meetup Zoom conferences on my laptop.

The decrypting of streams at the Zoom servers and re-encrypting them as they go out to the far-end client is at first blush worrisome, but that in part is necessary for folks recording their zoom sessions and though it puts a vulnerability at the level of Zoom staff, one hopes Zoom is careful with whom it employs. But it must be said, nothing I do on Zoom is something I would be embarrassed about were it to leak. I nonetheless want to do everything in my power to make sure it stays secure and I’m happy to hear Zoom is looking into closing this security flaw.

The auto-download for Macintosh is worrisome but again I am happy to say this practice is also ending as it is a backdoor that Zoom can use to allow third party software onto ones Mac. Zoom also has ceased allowing team profiles to share email addresses, though this is not a feature I’m using for any of my Zoom conferences.

As for recording leaking onto the Internet or folks joining your conference uninvited (Zoom Bombing) or war drive scanning Zoom to find your conference, all of these can be solved by user diligence. It’s important to be mindful of who you let into a conference, and don’t let just anyone have access to your recordings. For my Writing Groups, only myself, the account owner, and the persons being reviewed will ever have access to the recordings, and if the reviewed doesn’t need the recordings, we will delete them.

Also, as of this morning, 5 April 2020, at 0:00 UTC, Zoom now requires passwords on all new Zoom events. Thus, even with a Zoom ID scan, you won’t be able to get into the meeting without the password and although the URL can encode the password in an obfuscated way, simply scanning Zoom IDs will not get you into the conferences. And even if you did, I’d still have to approve you. I won’t.

Zoom
The Zoom Logo

Overall, I’m quite happy with Zoom and hope to use it all through Covidapolis. Overall, I give it this Security Engineers line of approval. And please note, I am available for hire if you like what you see!