02 February 2018


Feast of the Presentation of Jesus in the Temple
Feast of the Purification of the Blessed Virgin Mary

February 2nd

One of the things I miss most about teaching, is the rhythm of the school year.  Teachers are teased about their ever changing bulletin boards, but the reality is they are an excellent example of the ebb and flow of the school year.  There is always something to be putting away until next year, something to be doing right now, and something to be preparing for.  Working outside of a school system now, it is very easy to get stuck in a rut where every day is just a continuation of the previous; there is always work to do and what doesn't get done today will need to get done tomorrow.  My consolation, then, is that the Church gives us seasons and feasts to give rhythm and flow the the whole year.

Today, Candlemas, is one of my favorite feast days.  Two feast days, really.  In Jewish custom, not only did the first born male need to be purchased back from God with two turtledoves or two young pigeons, but a woman who had given birth was considered unclean, so purification was necessary.  Hence the two feast days.

The Gospel for today does a better job explaining:

Luke 2:22-40 Revised Standard Version Catholic Edition

And when the time came for their purification according to the law of Moses, they brought him up to Jerusalem to present him to the Lord (as it is written in the law of the Lord, “Every male that opens the womb shall be called holy to the Lord”) and to offer a sacrifice according to what is said in the law of the Lord, “a pair of turtledoves, or two young pigeons.” Now there was a man in Jerusalem, whose name was Simeon, and this man was righteous and devout, looking for the consolation of Israel, and the Holy Spirit was upon him. And it had been revealed to him by the Holy Spirit that he should not see death before he had seen the Lord’s Christ. And inspired by the Spirit[a] he came into the temple; and when the parents brought in the child Jesus, to do for him according to the custom of the law, he took him up in his arms and blessed God and said,

“Lord, now lettest thou thy servant depart in peace,
according to thy word;
for mine eyes have seen thy salvation
which thou hast prepared in the presence of all peoples,
a light for revelation to the Gentiles,
and for glory to thy people Israel.”

And his father and his mother marveled at what was said about him; and Simeon blessed them and said to Mary his mother,

“Behold, this child is set for the fall[b] and rising of many in Israel,
and for a sign that is spoken against
(and a sword will pierce through your own soul also),
that thoughts out of many hearts may be revealed.”

And there was a prophetess, Anna, the daughter of Phan′u-el, of the tribe of Asher; she was of a great age, having lived with her husband seven years from her virginity, and as a widow till she was eighty-four. She did not depart from the temple, worshiping with fasting and prayer night and day. And coming up at that very hour she gave thanks to God, and spoke of him to all who were looking for the redemption of Jerusalem.

And when they had performed everything according to the law of the Lord, they returned into Galilee, to their own city, Nazareth. And the child grew and became strong, filled with wisdom; and the favor of God was upon him.

Because of Simeon's words about Jesus being the light to the gentiles, the Church has traditionally blessed the candles to be used during the coming year: Candlemas.

There was an excellent article written in 1942 by a Fr. John Bolen titled The Wax Candle in the Liturgy, and I highly recommend reading it.  Years ago, when we started making candles for our home use, we used paraffin wax.  It was cheap and easy to work with, but recently we have switched to 100% beeswax.  If you are looking for a reason to switch to beeswax candles, the interwebs will give you plenty of reasons.  I do not, however, dip all our candles.  We use tin molds to make both tapers and pillar candles.  In my mind, it is out of economy.  When we dip candles, you always have to have around 4 lbs of wax melted so that the candles don't get stumpy.  When we pour candles, we can use every last drop.

In the sense that we prepare candles before actual Candlemas, we started celebrating weeks ago!

This year, we made white candles, as well as colored candles for our Advent wreath.  The colors we choose were Violet and Rose.  I recommend dye flakes vs pigments.  They are easy to measure and mix, and don't clog the candles.

We then took the candles to Mass with us, and they were blessed!

 We had a wonderful dinner by candlelight, and enjoyed an evening remembering that Christ came into the world to be a light to all of us.

Everything does taste better by candle light....


The Nativity scene will be packed up tomorrow, as we close out Christmastide and we will start gathering everything to start Lent in a few weeks.  All the best from our family to your's.  May your evening be a blessed one, and the coming year be full of grace and peace.

01 February 2018

Multi Factor Authentication - Duo and Yubikey

Multi Factor Authentication / 2 Factor Authentication, is not just all the rage today, but a necessity in today's ultra-connected world.  The balance between security and convenience is a hard one, but has to be weighed and measured for you, your information, and the assets you are responsible for.


I have used, implemented, advised, and researched several forms of Multi Factor Authentication (MFA).  Simply stated, MFA or 2FA just means that you are required to have two pieces to authenticate.  Generally these fall under one of three categories:  knowledge (something you know); possession (something you have), and inherence (something you are).  That means, knowing a password (knowledge) AND having an usb smart card plugged in (possession).  The implementation on many social media and shopping sites is having a password AND having a number generated by a timed one-time-password (TOTP) dongle/app (possession), although SMS is not technically 2FA because it can be spoofed, but it is still 2SV.  This could also be having a bio-metric finger print reader (inherence) and a hardware generated one time password (HOTP possession).

Some Definitions:

2FA - 2 Factor Authentication, use of 2 different MFA methods.
2SV - 2 Step Verification, use of 2 authentication methods that are NOT distinctly different.
AD - Active Directory, Microsoft enterprise level central store for usernames and passwords.
Biometrics - Using unique human attributes to authenticate.
FERPA - Family Educational Rights and Privacy Act, safeguards and security provisions to protect student information, and to allow Parents and Students reasonable access to their data.
HIPPA - Health Insurance Portability and Accountability Act of 1996, safeguards and security provisions to protect medical information
HOTP - Hardware One Time Password, password generated by physical dongle that generates the next password based on an algorithm and successive key presses.
Inherence - Inherence Factor, a factor of MFA, aspects that are integral to the individual in question, like biometrics. Something you are.
International Safe Harbor Privacy Principles - principles developed to prevent private organizations withing the European Union from accidentally disclosing or losing personal information.
Knowledge - a factor of MFA, something that is known only to the user, like a password. Something you know.
MFA - Multi Factor Authentication, any time that 2 or more unique authenticating factors are required to allow access to a resource or asset, this includes 2FA, 3FA, 4FA, etc. Factors include Knowledge, Possession, and Inherence
NFC - Near-Field Communication, wireless technology that allows communication over short distances, usually an inch or less.
NIST - National Institute of Standards and Technology, sets the standards and recommendations for MFA.
OTP - One Time Password, A password that can only be used once.  Based on time or key presses and generated based on pre-shared information and an algorithm.
PCI - Payment Card Industry, most often referring to Payment Card Industry Data Security Standard, a set of security requirements for credit card processors.
PIV - Personal Identity Verification, a standard for a specific type of smart-card that can be used as an access card.  Standardized by FIPS 201 and is used by federal agencies.
PKI - Public Key Infrastructure, all components necessary for using public key encryption.  Utilizes public and private keys for encryption.
Possession - a factor of MFA, something physical that can not be duplicated or spoofed that is used to authenticate or verify a specific user. Something you have.
SmartCard - any number of pocket sized devices that have an embedded integrated circuit.  They can contain personal identification, authentication, data storage, application processing, etc.  They can be contact based or contactless.
SMS - Short Message Service, GSM services that is used to send and receive short text messages between mobile devices.  NOTE: because they can be spoofed or read by service personel, they are not considered a Possession Factor of MFA by NIST.
Spoofing - a form of subterfuge in which communication is sent from an unknown source disguised as a source known to the receive.
TOTP - Time One Time Password, password generated by physical dongle or application that generates the next password based on an algorithm and the time.
VPN - Virtual Private Network, a private network that allows confidential and secure communication over public networks.


In 2017 we saw a huge uptick in cyber attacks.  Equifax, Yahoo, FedEx, Uber, countless facebook, gmail, and twitter accounts saw data breaches and with worms/viruses like WannaCry, NotPetya, Bad Rabbit the reality is that you can not be too careful.

Passwords can be cracked, hacked, shared, and stolen.  MFA applies a second (or third, forth, etc) level of authentication and therefore adds another layer of security.  The cost of a security breach is greater than the cost of 2FA, and the extra steps involved force you to be mindful of what you are accessing, where you are accessing it, and what the loss would mean.

Further more, if you are a business/entity that is required to use MFA to be PCI DSS, HIPAA, FERPA, or Safe Harbor compliant, then you need to put forth the effort now so you don't get blindsided later.


In my mind, any MFA solution has to have certain pieces:

1) Secure - No bypassing, no spoof-able devices, no shared devices, user tokens/certificates/passwords/etc need to be easily revokeable
2) Failover - The solution needs to be reliable. While being secure, there needs to be more than one way to authenticate the 2nd factor, in case the infrastructure for the 1st method fails.
3) Usability - If there is not end-user buy-in, it won't get used, it will get bypassed, and it will all be for nothing.... period
4) Deployability - Sometimes referenced as Scale-ability.  It should be easy to go from 10 users to 100 users overnight.
5) Maintainability - Once the solution is operational, how often will it need to be maintenance, how many help desk calls are going to be for this solution?

There are LOTS of MFA solutions, but the one I want to walk through today is Duo.  The maintainability, deployability, and usability are there, and it can be made secure.  The problem I had with their module to secure windows desktop login, was that if the machine was not connected to the internet, there was no way to verify the 2nd factor.  It does, however allow for failover to be a smartcard.  This is where the Yubikeys enter in.


Duo is well documented, and its worth trying for free for 10 users.  To set-up Duo Authentication for Windows Logon and RDP, follow their instructions here: https://duo.com/docs/rdp

For my purposes, I have the installer run from a batch file with my pertinent information.  Make sure you allow smart cards, do NOT let it fail open, and since I was securing both local and remote sessions, turn off RDP only.

msiexec.exe /i DuoWindowsLogon64.msi IKEY="" SKEY="" HOST=""

This means that if Duo can't connect to the internet, your users can still log in with the smart card.  If you use YubiKeys you can also enroll them with duo as hardware keys, to provide the OTP.

To secure Duo, I turn off the Authentication Methods that are capable of being spoofed, and I require an encrypted OS on the phone, and bio-metrics to use the app.

Now, when users log in, they get a prompt to authenticate through Duo

But what happens if the internet is disconnected, or the user is on an airplane with a laptop, etc?


This is where having the SmartCard option is key.  If you already enabled smart cards at install, then duo is already set.  To leverage a Yubikey, or any SmartCard, you will will need a PKI setup.  That starts with a Certificate Authority, then you will need your machines to accept smartcards, and finally you need a way to enroll them.

I would recommend reading the following documents if this is the road you want to go down:

Setting Up a Certificate Authority
YubiKey Smart Card Deployment Guide
YubiKey Smart Card Minidriver User Guide
YubiKey PIV Manager User's Guide
Yubico PIV Tool Command Line Guide

The down and dirty goes like this:

A) Create a Certificate Authority on a fresh server install (Found in Microsoft and Yubikey Documentation)

1. Open Server Manager and choose Add roles and features, > Next.
2. > Role-based or feature-based installation > Next.
3. > Select a server from the server pool.
4. Select your new server.
5. Under Server Roles, > Active Directory Certificate Services, > Next.
6. > Add Features, > Next.
7. > Next again.
8. > Certification Authority, > Next.
9. > Install. Allow several minutes for the process to complete.
10. > Configure Active Directory Certificate Services on the destination server, > Next.
11. > Certification Authority, > Next.
12. Choose Enterprise CA, > Next.
13. Choose Root CA, > Next.
14. Create a new private key, > Next.
15. Select the cryptographic provider, hash algorithm, and key length for the private key, > Next.
(Yubico recommends sticking with default values so you don't create a cert that is too big for the smartcards)
16. Common name and Distinguished name will be automatically populated. Confirm the values match the server name and domain name, > Next.
17. Select the validity period for the Certification Authority certificate, > Next.
18. Leave the Database locations to the default values > Next.
19. Verify all settings match the desired values, > Configure.
20. When the process completes, exit the installation wizard.

B) Install the minidriver
1. Download the minidriver: https://www.yubico.com/support/knowledge-base/categories/downloads/
2. Unzip
3. Right click the one that says it has Setup Information and click Install

C) Create an Enrollment Agent so you can enroll certs on behalf of your users.
If you want to allow users to self enroll, follow the documentation in the deployment guide above
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right click on the template named Enrollment Agent

3) In the security tab, ensure that the user/users/groups that will be in charge of enrolling other users has Read and Enroll permissions on the Template.
4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.

6) Select Enrollment Agent template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Request a New Certificate
10) Select Active Directory Enrollment Policy, and then select the Enrollment Agent template, and then click Enroll.

D) Create a smart card certificate Template
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right-click Smartcard Logon, and select Duplicate Template.
3) Setup the certificate as follows:

4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.

6) Select YubiKeySC template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Under Advanced Options, choose Enroll on Behalf of
10) Select Active Directory Enrollment Policy, and then browse and choose your Enrollment Agent cert, choose the correct user and then click Enroll.
11) The default pin is 123456
12) MAKE SURE THE USER CHANGES THEIR PIN.  It has to be 6-8 characters and can be a combination of letters and numbers.  They can change their pin by pressing CTRL-Alt-DEL and switching to the smart card with the sign in options button.

E) Resetting a SmartCard after they lock their pin
It will happen.  You can use the PIV Manager to reset it, or you can download the PIV tool, and run the following batch file:


echo Yubikey will be reset and 
echo you will erase current Certificate. 
set /P c=Are you sure you want to continue [Y/N]?
if /I "%c%" EQU "Y" goto :yes
if /I "%c%" EQU "N" goto :no
goto :choice

echo Resetting Yubikey...
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a reset
echo exiting.............

echo Yubikey was not reset. 
echo exiting.............

After the YubiKey is reset, it will have to be re-enrolled, and the old cert will need to be revoked.

Other Considerations

As I said earlier, this is just one of many options.  Start the conversation now because if you are not using any form of MFA or 2SV then ANYTHING you do is more secure than what you have right now.

I am not payed by any of the aforementioned companies, in fact, I pay them for the use of their services and devices.

Make sure you enroll your Yubikeys in Duo as well as enabling the smart card feature.  Then you can use them as a token, and don't have to rely on the app: https://duo.com/docs/yubikey

Finally, do your homework.  The more prepared you are, and the more you experiment with these items in your own environment, the better prepared you will be for the challenges ahead.

31 January 2018

Potato Soup 2 Ways

Gluten-Free, Dairy Free, Potato Soup

We have tried at least half a dozen different potato soup recipes, from the copycat Zuppa Tuscana, to Czech garlic potato, loaded backed potato, mushroom potato, etc.  This is our favorite.  This is an easy soup, flexible, easily modifiable, and makes a ton... 1.5-2 gallons worth.

While it does make 25 1 cup servings, and you might be tempted to cut it back, I would cation you not to.  It keeps well, the proportions start getting weird when you cut it down, and really, you will eat more than 1 cup of it at a time.

The reason I say "Potato Soup 2 Ways" is that we often make it meatless on Friday, and then add sausage to it on Saturday, and it is almost completely different. We also use Almond milk, and honestly, I think it works better, and freezes better.


1-2 Tbs oil (or drippings from bacon/sausage)                 
4 Stalks Celery, small dice                                   
1 Large Sweet Onion, small dice
1/2 Cup Flour
1/2 gal Vegetable or Chicken stock
4 lbs. potatoes, peeled, diced
2 tsp Salt
2 tsp Slap Ya Mama (or other Cajun seasoning, may need to cut back on salt)
Pepper to taste
2 Cups Unsweetened Almond Milk

1 1b. bacon cut into pieces
2 lbs. Polish/Smoked Sausage (We use Conecuh Sausage) cut into pieces
Green Onions/Chives
Sour Cream


1. (Meat-Free) Sauté onion and celery in oil in large pot/dutch oven until beginning to soften.
1a. (Meat) Brown sausage until cooked through in large pot/dutch oven, remove with slotted spoon.
1b. (Meat)  Sauté onion and celery in drippings until beginning to soften.
2. Add flour and stir until color starts to change.
3. Add half of stock, stir.
4. Add potato and rest of stock.  Gentle boil until cooked through.
4b. (Meat) While potatoes are boiling, cook bacon and crumble.
5. Once potatoes are cooked add Almond Milk, blend soup in batches, or use an immersion blender.  (If you like some pieces of potato, don't blend it all)
6. (Meat) Add Sausage and heat through.

Top as desired.  Sometimes I'll add the bacon in with the sausage, but I really prefer the crispy bacon on top, with a healthy dose of cheddar cheese.


14 January 2018

Confraternity of Christian Mothers - Internet Safety - Hahn/Voboril

A few weeks ago, I was blessed to share a podium with Jeff Hahn at the Confraternity of Christian Mothers, Birmingham Chapter.  We spoke for some time on the perils of the internet, how to protect yourselves and those under your care.  As promised, I have posted some of our notes and slides below.

Jeff Hahn Notes
Tomas Voboril Notes

To learn more about the Birmingham Confraternity of Christian Mothers, check out their webpage here: https://ccmbham.wordpress.com/

St. Michael Fighting the Dragon
Albrecht Durer

29 May 2017

Visconti Australis Opera Master LE

It took me a while to find ANY information on this fountain pen.  Originally, when I saw it for sale, I thought it was a fake.  It was, in fact part of a 3 pen Limited Edition offering for Visconti's Australian market.  

The Australis was limited to 150 pens.
The body is made of black lucite with rose gold accents.
The filling system is Visconti's double power reserve.
The nib is 18k gold (mine is a medium).

My Australis was shipped from Australia as NOS (New Old Stock).  The box was not in very good condition, it was falling apart, and had me worried.  The pen (and accompanying letter opener) were in perfect condition.  I was struck by the size of the pen.  It is Opera Master size, and as you can see below, that makes it on the "oversized" end of things.

I love the rose gold accents.  Sometimes, rose gold looks more brass than gold, but I think they did an excellent job here.  The letter opener matches very well.

Some of my Viscontis have poor lettering on the clip, This one had sharp lettering that stood out with even black filling.

It does have the "my pen" system, where you can replace the end bit on the pens, but they all have gold or silver accents and they just don't work as well as the one that came with it.  My one complaint, is that the magnet is very week on this one, and the logo seems to rotate every time I use it.

Like the other Opera Masters, it follows the squaring the circle concept.  It really does make for a comfortable pen, and a great looker.  I actually enjoy it more than the Waterman Exception.

The nib is lovely, and the writing experience was superb.  Visconti nibs run wet and wide.  This is no different.  I will say I prefer their gold nibs to their palladium nibs.

From left to right, Pelikan M805, Visconti Homo Sapiens London Fog, Noodler's Neponset, Visconti Australis, and MontBlanc 149.  It's a BIG pen.

In the Visconti line-up, it is the biggest among the popular ones.

Australis Opera Master on Top, Homo Sapiens in the Middle, Opera on the bottom.

In conclusion, I love the pen.  I have had it now for six months and it is almost always inked, with MontBlanc Lavender Purple. It is a big luxury pen, but it can be had for a decent price and it really does deliver.  I did not find it over-weight or over-sized in a bad way.  I do not post the cap when I use it, that would make it way to big.  There are other Opera Masters I would love to have, but if this is the only one I am every able to acquire, I will be content with it.

31 July 2016

The Signature Pen

When I first started looking for and defining my signature pen, several people asked me, "Well, which of your pens is your favorite", or "Which pen do you use the most" almost always ending with "use THAT as your signature pen".  I have a lot of pens, so I can definitely see why someone could question my need for another. So, at the risk of sounding pedantic, I am looking for a pen whose main job is to be used for my signature... not a pen that IS my signature piece.  As horrible as it sounds, I don't know that I could make one of my current pens into a signature pen, because it would feel like I was picking a favorite child or something... gosh I hope my actual children never read this ... I love you guys :-)

I am not a famous author... or a famous... anything... for that matter, nor am I just that vain.  I have used fountain pens for over 20 years, but have only recently gotten back into calligraphy.  While the broader pens make up most of my stable, I have never really gotten into crisp italics because they do not work with my cursive, I blame Zaner-Bloser.

Enter the epic Pilot Parallels.

These little pens are what made me dig out my dip pens.  They are certainly not a replacement for dip pens, but they are sweet little things.  BUT, their greatest act was making my signature look awesome... so maybe I am a little bit vain.

I have spent the better part of the last decade as an educator, so signing my name is a common occurrence, and I did not really feel like it would be wise to carry around a Pilot Parallel all day.  I can tell you what pens I used to sign our marriage certificate, birth certificates, Baptismal records, love letters to my Wife, letters to friends (particularly after they have past), and so, as I thought about having a pen that would be used to provide uniformity to my signature and link the things I have signed, I did want it to have some presence.

While I have many pens, and have more than I should inked at any given time, I do not have any that serve only one purpose; even the pen that is filled with Iron Gall ink is not relegated to only address envelopes,  it gets a turn to stretch its legs.  For this reason, I did not want an italic nib.  I decided on a classy stub.

I toyed with a custom pen, I looked at several brands that had factory stub nibs, and (probably influenced by my recent love affair with the London Fog) I decided I wanted a Visconti to fill the void.  I was almost swayed by a few beautiful MontBlancs, and an older Pelikan.

So, whilst browsing Chatterley Luxuries to find a moderately priced stub nib, I came across the Visconti-Chatterley Desert Opera 10th Anniversary Limited Edition ST Fountain Pen.  I really do love the Desert Springs material in the Divina, so this was not a hard sell.

I messaged back and forth with Bryant about what I wanted with the pen, and he said he would find the prettiest one he had.  As an afterthought, I sent a messaged him and told him that if no7 was nice, I would love to have it.  The response I got from Bryant was wonderful... He said that when he went back to see if they had no7, his wife had already picked out the one that she thought had the best pattern, and it happened to be no7!  What are the odds.

The shipping was prompt, the pen had been tested and wrote beautifully.  I was really surprised by two things, the first was the blue enamel in the clip and the second was how well the stub wrote.  My experience, even with higher end brands, has been that when you get larger than a medium nib, they are prone to at least a little baby's bottom.... this had none.

It is a cartridge/converter, but I am not horrible bothered by that.  I felt a little better about putting Noodler's Liberty's Elysium in it because it is much easier to clean out.  Also, it is the nicest converter I have ever used.  It screws into the pen, and it aesthetically very pleasing, with the silver trim and subtle branding.

The packaging is always nice from Visconti, a grey lacquered box.  

The silver grip does not get slippery for me... although as you can see... it attracts fingerprints like nothing else.  

The desert springs material is GORGEOUS!!!  I wish I could take a picture that really captured it.  

In conclusion, I found a pen that not only suits my vanity and makes my signature beautiful, but is one that I genuinely like to write with.  The price was great, and fit in my budget from other pens I had to sell.  It is not my favorite pen, but I have no problem keeping it constantly inked and it will keep a place in my pen pouch.  I was not disappointed in the least, but I still enjoy using a regular nib for general writing... I am not saying that this is the only stub nib I will ever buy, but even if it is, I am happy I have this one.

Na Zdraví!