31 March 2018

Paschal Candle

Since the kids were old enough to go to Easter Vigil, we have made a Paschal Candle on Holy Saturday.  The process is fairly simple, take a large pillar candle, carve a cross, the year, and the Alpha and Omega.  Next the kids apply tempera paint to the general area, you wipe off the excess... and you have a Paschal Candle that you can use to walk through what they are going to see at the Easter Vigil.

This year, we did make the candle from 100% bleached beeswax, and had the candle blessed on Candlemas.






Through the years, we have tried various designs, and methods.  Any more, I have a template that I either cut out and trace, or print in reverse, trace with pencil, and rub onto the candle.



I use GIMP to edit the template, and the font I use for the numbers is "Old London"

Feel free to edit, use, etc the template.  I have used some fancy tools to carve candles, but the best ones we have done have just been carved with a large nail.

Paschal Candle Template

Some day, I will get some decent candle painting medium and gesso so I can apply gold leaf to the inside of the cross:


17 March 2018

Fr. Joseph Neilson, OCD

Today, March 17th is the anniversary of the passing of a dear friend of our family, Fr. Joseph Neilson, OCD.  Fr. Joseph was a Discalced Carmelite.  It was fitting that he was born on the feast of the Holy Innocents (December 28, 1932) as he was instrumental in the founding of problem pregnancy centers in Texas, Arkansas, and elsewhere.  He was a great scholar, and despite a debilitating car accident, he challenged those around him and a spiritual and intellectual level. On a more personal note, he was a great friend and spiritual rock for Hannah and I when we were engaged and first married.



During one of our trips to the Marylake Monastery to drive Fr. Joseph to get ice cream he shared a prayer with us.  He told us it was his little prayer when he reached into a bag of chips, or had any other small snack: Dominus qui fecit totum, benedicat cibum et potum; May the Lord Who made everything, Bless this food and drink.



We have kept the page he wrote on, and have hung it in our kitchen, from the very beginning of our marriage, till now.  It has seen better days, but it reminds us that in all things, great and small, to God be the glory.

We miss you Fr. Joseph, and while we feel fairly certain that March 17th 2012 was your entrance day into heaven, we do as you ask and pray for your soul and all the souls of the faithful departed.

02 February 2018

Candlemas


Feast of the Presentation of Jesus in the Temple
&
Feast of the Purification of the Blessed Virgin Mary

February 2nd


One of the things I miss most about teaching, is the rhythm of the school year.  Teachers are teased about their ever changing bulletin boards, but the reality is they are an excellent example of the ebb and flow of the school year.  There is always something to be putting away until next year, something to be doing right now, and something to be preparing for.  Working outside of a school system now, it is very easy to get stuck in a rut where every day is just a continuation of the previous; there is always work to do and what doesn't get done today will need to get done tomorrow.  My consolation, then, is that the Church gives us seasons and feasts to give rhythm and flow the the whole year.


Today, Candlemas, is one of my favorite feast days.  Two feast days, really.  In Jewish custom, not only did the first born male need to be purchased back from God with two turtledoves or two young pigeons, but a woman who had given birth was considered unclean, so purification was necessary.  Hence the two feast days.



The Gospel for today does a better job explaining:

Luke 2:22-40 Revised Standard Version Catholic Edition

And when the time came for their purification according to the law of Moses, they brought him up to Jerusalem to present him to the Lord (as it is written in the law of the Lord, “Every male that opens the womb shall be called holy to the Lord”) and to offer a sacrifice according to what is said in the law of the Lord, “a pair of turtledoves, or two young pigeons.” Now there was a man in Jerusalem, whose name was Simeon, and this man was righteous and devout, looking for the consolation of Israel, and the Holy Spirit was upon him. And it had been revealed to him by the Holy Spirit that he should not see death before he had seen the Lord’s Christ. And inspired by the Spirit[a] he came into the temple; and when the parents brought in the child Jesus, to do for him according to the custom of the law, he took him up in his arms and blessed God and said,

“Lord, now lettest thou thy servant depart in peace,
according to thy word;
for mine eyes have seen thy salvation
which thou hast prepared in the presence of all peoples,
a light for revelation to the Gentiles,
and for glory to thy people Israel.”

And his father and his mother marveled at what was said about him; and Simeon blessed them and said to Mary his mother,

“Behold, this child is set for the fall[b] and rising of many in Israel,
and for a sign that is spoken against
(and a sword will pierce through your own soul also),
that thoughts out of many hearts may be revealed.”

And there was a prophetess, Anna, the daughter of Phan′u-el, of the tribe of Asher; she was of a great age, having lived with her husband seven years from her virginity, and as a widow till she was eighty-four. She did not depart from the temple, worshiping with fasting and prayer night and day. And coming up at that very hour she gave thanks to God, and spoke of him to all who were looking for the redemption of Jerusalem.

And when they had performed everything according to the law of the Lord, they returned into Galilee, to their own city, Nazareth. And the child grew and became strong, filled with wisdom; and the favor of God was upon him.

Because of Simeon's words about Jesus being the light to the gentiles, the Church has traditionally blessed the candles to be used during the coming year: Candlemas.

There was an excellent article written in 1942 by a Fr. John Bolen titled The Wax Candle in the Liturgy, and I highly recommend reading it.  Years ago, when we started making candles for our home use, we used paraffin wax.  It was cheap and easy to work with, but recently we have switched to 100% beeswax.  If you are looking for a reason to switch to beeswax candles, the interwebs will give you plenty of reasons.  I do not, however, dip all our candles.  We use tin molds to make both tapers and pillar candles.  In my mind, it is out of economy.  When we dip candles, you always have to have around 4 lbs of wax melted so that the candles don't get stumpy.  When we pour candles, we can use every last drop.

In the sense that we prepare candles before actual Candlemas, we started celebrating weeks ago!


This year, we made white candles, as well as colored candles for our Advent wreath.  The colors we choose were Violet and Rose.  I recommend dye flakes vs pigments.  They are easy to measure and mix, and don't clog the candles.



We then took the candles to Mass with us, and they were blessed!







 We had a wonderful dinner by candlelight, and enjoyed an evening remembering that Christ came into the world to be a light to all of us.


Everything does taste better by candle light....




 


The Nativity scene will be packed up tomorrow, as we close out Christmastide and we will start gathering everything to start Lent in a few weeks.  All the best from our family to your's.  May your evening be a blessed one, and the coming year be full of grace and peace.





01 February 2018

Multi Factor Authentication - Duo and Yubikey

Multi Factor Authentication / 2 Factor Authentication, is not just all the rage today, but a necessity in today's ultra-connected world.  The balance between security and convenience is a hard one, but has to be weighed and measured for you, your information, and the assets you are responsible for.

What?

I have used, implemented, advised, and researched several forms of Multi Factor Authentication (MFA).  Simply stated, MFA or 2FA just means that you are required to have two pieces to authenticate.  Generally these fall under one of three categories:  knowledge (something you know); possession (something you have), and inherence (something you are).  That means, knowing a password (knowledge) AND having an usb smart card plugged in (possession).  The implementation on many social media and shopping sites is having a password AND having a number generated by a timed one-time-password (TOTP) dongle/app (possession), although SMS is not technically 2FA because it can be spoofed, but it is still 2SV.  This could also be having a bio-metric finger print reader (inherence) and a hardware generated one time password (HOTP possession).



Some Definitions:

2FA - 2 Factor Authentication, use of 2 different MFA methods.
2SV - 2 Step Verification, use of 2 authentication methods that are NOT distinctly different.
AD - Active Directory, Microsoft enterprise level central store for usernames and passwords.
Biometrics - Using unique human attributes to authenticate.
FERPA - Family Educational Rights and Privacy Act, safeguards and security provisions to protect student information, and to allow Parents and Students reasonable access to their data.
HIPPA - Health Insurance Portability and Accountability Act of 1996, safeguards and security provisions to protect medical information
HOTP - Hardware One Time Password, password generated by physical dongle that generates the next password based on an algorithm and successive key presses.
Inherence - Inherence Factor, a factor of MFA, aspects that are integral to the individual in question, like biometrics. Something you are.
International Safe Harbor Privacy Principles - principles developed to prevent private organizations withing the European Union from accidentally disclosing or losing personal information.
Knowledge - a factor of MFA, something that is known only to the user, like a password. Something you know.
MFA - Multi Factor Authentication, any time that 2 or more unique authenticating factors are required to allow access to a resource or asset, this includes 2FA, 3FA, 4FA, etc. Factors include Knowledge, Possession, and Inherence
NFC - Near-Field Communication, wireless technology that allows communication over short distances, usually an inch or less.
NIST - National Institute of Standards and Technology, sets the standards and recommendations for MFA.
OTP - One Time Password, A password that can only be used once.  Based on time or key presses and generated based on pre-shared information and an algorithm.
PCI - Payment Card Industry, most often referring to Payment Card Industry Data Security Standard, a set of security requirements for credit card processors.
PIV - Personal Identity Verification, a standard for a specific type of smart-card that can be used as an access card.  Standardized by FIPS 201 and is used by federal agencies.
PKI - Public Key Infrastructure, all components necessary for using public key encryption.  Utilizes public and private keys for encryption.
Possession - a factor of MFA, something physical that can not be duplicated or spoofed that is used to authenticate or verify a specific user. Something you have.
SmartCard - any number of pocket sized devices that have an embedded integrated circuit.  They can contain personal identification, authentication, data storage, application processing, etc.  They can be contact based or contactless.
SMS - Short Message Service, GSM services that is used to send and receive short text messages between mobile devices.  NOTE: because they can be spoofed or read by service personel, they are not considered a Possession Factor of MFA by NIST.
Spoofing - a form of subterfuge in which communication is sent from an unknown source disguised as a source known to the receive.
TOTP - Time One Time Password, password generated by physical dongle or application that generates the next password based on an algorithm and the time.
VPN - Virtual Private Network, a private network that allows confidential and secure communication over public networks.

Why?

In 2017 we saw a huge uptick in cyber attacks.  Equifax, Yahoo, FedEx, Uber, countless facebook, gmail, and twitter accounts saw data breaches and with worms/viruses like WannaCry, NotPetya, Bad Rabbit the reality is that you can not be too careful.

Passwords can be cracked, hacked, shared, and stolen.  MFA applies a second (or third, forth, etc) level of authentication and therefore adds another layer of security.  The cost of a security breach is greater than the cost of 2FA, and the extra steps involved force you to be mindful of what you are accessing, where you are accessing it, and what the loss would mean.

Further more, if you are a business/entity that is required to use MFA to be PCI DSS, HIPAA, FERPA, or Safe Harbor compliant, then you need to put forth the effort now so you don't get blindsided later.

How?

In my mind, any MFA solution has to have certain pieces:

1) Secure - No bypassing, no spoof-able devices, no shared devices, user tokens/certificates/passwords/etc need to be easily revokeable
2) Failover - The solution needs to be reliable. While being secure, there needs to be more than one way to authenticate the 2nd factor, in case the infrastructure for the 1st method fails.
3) Usability - If there is not end-user buy-in, it won't get used, it will get bypassed, and it will all be for nothing.... period
4) Deployability - Sometimes referenced as Scale-ability.  It should be easy to go from 10 users to 100 users overnight.
5) Maintainability - Once the solution is operational, how often will it need to be maintenance, how many help desk calls are going to be for this solution?

There are LOTS of MFA solutions, but the one I want to walk through today is Duo.  The maintainability, deployability, and usability are there, and it can be made secure.  The problem I had with their module to secure windows desktop login, was that if the machine was not connected to the internet, there was no way to verify the 2nd factor.  It does, however allow for failover to be a smartcard.  This is where the Yubikeys enter in.

Duo

Duo is well documented, and its worth trying for free for 10 users.  To set-up Duo Authentication for Windows Logon and RDP, follow their instructions here: https://duo.com/docs/rdp

For my purposes, I have the installer run from a batch file with my pertinent information.  Make sure you allow smart cards, do NOT let it fail open, and since I was securing both local and remote sessions, turn off RDP only.

msiexec.exe /i DuoWindowsLogon64.msi IKEY="" SKEY="" HOST=""
 AUTOPUSH="#1" FAILOPEN="#0" SMARTCARD="#1" RDPONLY="#0"

This means that if Duo can't connect to the internet, your users can still log in with the smart card.  If you use YubiKeys you can also enroll them with duo as hardware keys, to provide the OTP.

To secure Duo, I turn off the Authentication Methods that are capable of being spoofed, and I require an encrypted OS on the phone, and bio-metrics to use the app.


Now, when users log in, they get a prompt to authenticate through Duo


But what happens if the internet is disconnected, or the user is on an airplane with a laptop, etc?


Yubikey

This is where having the SmartCard option is key.  If you already enabled smart cards at install, then duo is already set.  To leverage a Yubikey, or any SmartCard, you will will need a PKI setup.  That starts with a Certificate Authority, then you will need your machines to accept smartcards, and finally you need a way to enroll them.

I would recommend reading the following documents if this is the road you want to go down:

Setting Up a Certificate Authority
YubiKey Smart Card Deployment Guide
YubiKey Smart Card Minidriver User Guide
YubiKey PIV Manager User's Guide
Yubico PIV Tool Command Line Guide

The down and dirty goes like this:

A) Create a Certificate Authority on a fresh server install (Found in Microsoft and Yubikey Documentation)

1. Open Server Manager and choose Add roles and features, > Next.
2. > Role-based or feature-based installation > Next.
3. > Select a server from the server pool.
4. Select your new server.
5. Under Server Roles, > Active Directory Certificate Services, > Next.
6. > Add Features, > Next.
7. > Next again.
8. > Certification Authority, > Next.
9. > Install. Allow several minutes for the process to complete.
10. > Configure Active Directory Certificate Services on the destination server, > Next.
11. > Certification Authority, > Next.
12. Choose Enterprise CA, > Next.
13. Choose Root CA, > Next.
14. Create a new private key, > Next.
15. Select the cryptographic provider, hash algorithm, and key length for the private key, > Next.
(Yubico recommends sticking with default values so you don't create a cert that is too big for the smartcards)
16. Common name and Distinguished name will be automatically populated. Confirm the values match the server name and domain name, > Next.
17. Select the validity period for the Certification Authority certificate, > Next.
18. Leave the Database locations to the default values > Next.
19. Verify all settings match the desired values, > Configure.
20. When the process completes, exit the installation wizard.

B) Install the minidriver
1. Download the minidriver: https://www.yubico.com/support/knowledge-base/categories/downloads/
2. Unzip
3. Right click the one that says it has Setup Information and click Install


C) Create an Enrollment Agent so you can enroll certs on behalf of your users.
If you want to allow users to self enroll, follow the documentation in the deployment guide above
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right click on the template named Enrollment Agent



3) In the security tab, ensure that the user/users/groups that will be in charge of enrolling other users has Read and Enroll permissions on the Template.
4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.


6) Select Enrollment Agent template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Request a New Certificate
10) Select Active Directory Enrollment Policy, and then select the Enrollment Agent template, and then click Enroll.

D) Create a smart card certificate Template
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right-click Smartcard Logon, and select Duplicate Template.
3) Setup the certificate as follows:






4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.


6) Select YubiKeySC template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Under Advanced Options, choose Enroll on Behalf of
10) Select Active Directory Enrollment Policy, and then browse and choose your Enrollment Agent cert, choose the correct user and then click Enroll.
11) The default pin is 123456
12) MAKE SURE THE USER CHANGES THEIR PIN.  It has to be 6-8 characters and can be a combination of letters and numbers.  They can change their pin by pressing CTRL-Alt-DEL and switching to the smart card with the sign in options button.

E) Resetting a SmartCard after they lock their pin
It will happen.  You can use the PIV Manager to reset it, or you can download the PIV tool, and run the following batch file:

@ECHO OFF

:choice
echo Yubikey will be reset and 
echo you will erase current Certificate. 
set /P c=Are you sure you want to continue [Y/N]?
if /I "%c%" EQU "Y" goto :yes
if /I "%c%" EQU "N" goto :no
goto :choice

:yes
echo Resetting Yubikey...
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a reset
echo exiting.............
pause
exit

:no
echo Yubikey was not reset. 
echo exiting.............
pause 
exit

After the YubiKey is reset, it will have to be re-enrolled, and the old cert will need to be revoked.

Other Considerations

As I said earlier, this is just one of many options.  Start the conversation now because if you are not using any form of MFA or 2SV then ANYTHING you do is more secure than what you have right now.

I am not payed by any of the aforementioned companies, in fact, I pay them for the use of their services and devices.

Make sure you enroll your Yubikeys in Duo as well as enabling the smart card feature.  Then you can use them as a token, and don't have to rely on the app: https://duo.com/docs/yubikey

Finally, do your homework.  The more prepared you are, and the more you experiment with these items in your own environment, the better prepared you will be for the challenges ahead.

31 January 2018

Potato Soup 2 Ways

Gluten-Free, Dairy Free, Potato Soup

We have tried at least half a dozen different potato soup recipes, from the copycat Zuppa Tuscana, to Czech garlic potato, loaded backed potato, mushroom potato, etc.  This is our favorite.  This is an easy soup, flexible, easily modifiable, and makes a ton... 1.5-2 gallons worth.

While it does make 25 1 cup servings, and you might be tempted to cut it back, I would cation you not to.  It keeps well, the proportions start getting weird when you cut it down, and really, you will eat more than 1 cup of it at a time.


The reason I say "Potato Soup 2 Ways" is that we often make it meatless on Friday, and then add sausage to it on Saturday, and it is almost completely different. We also use Almond milk, and honestly, I think it works better, and freezes better.

Ingredients

Base:
1-2 Tbs oil (or drippings from bacon/sausage)                 
4 Stalks Celery, small dice                                   
1 Large Sweet Onion, small dice
1/2 Cup Flour
1/2 gal Vegetable or Chicken stock
4 lbs. potatoes, peeled, diced
2 tsp Salt
2 tsp Slap Ya Mama (or other Cajun seasoning, may need to cut back on salt)
Pepper to taste
2 Cups Unsweetened Almond Milk

Additions:
1 1b. bacon cut into pieces
2 lbs. Polish/Smoked Sausage (We use Conecuh Sausage) cut into pieces
Cheese
Green Onions/Chives
Sour Cream

Procedure

1. (Meat-Free) Sauté onion and celery in oil in large pot/dutch oven until beginning to soften.
1a. (Meat) Brown sausage until cooked through in large pot/dutch oven, remove with slotted spoon.
1b. (Meat)  Sauté onion and celery in drippings until beginning to soften.
2. Add flour and stir until color starts to change.
3. Add half of stock, stir.
4. Add potato and rest of stock.  Gentle boil until cooked through.
4b. (Meat) While potatoes are boiling, cook bacon and crumble.
5. Once potatoes are cooked add Almond Milk, blend soup in batches, or use an immersion blender.  (If you like some pieces of potato, don't blend it all)
6. (Meat) Add Sausage and heat through.

Top as desired.  Sometimes I'll add the bacon in with the sausage, but I really prefer the crispy bacon on top, with a healthy dose of cheddar cheese.

Enjoy!




14 January 2018

Confraternity of Christian Mothers - Internet Safety - Hahn/Voboril


A few weeks ago, I was blessed to share a podium with Jeff Hahn at the Confraternity of Christian Mothers, Birmingham Chapter.  We spoke for some time on the perils of the internet, how to protect yourselves and those under your care.  As promised, I have posted some of our notes and slides below.

Jeff Hahn Notes
Tomas Voboril Notes

To learn more about the Birmingham Confraternity of Christian Mothers, check out their webpage here: https://ccmbham.wordpress.com/



St. Michael Fighting the Dragon
Albrecht Durer

29 May 2017

Visconti Australis Opera Master LE


It took me a while to find ANY information on this fountain pen.  Originally, when I saw it for sale, I thought it was a fake.  It was, in fact part of a 3 pen Limited Edition offering for Visconti's Australian market.  

The Australis was limited to 150 pens.
The body is made of black lucite with rose gold accents.
The filling system is Visconti's double power reserve.
The nib is 18k gold (mine is a medium).


My Australis was shipped from Australia as NOS (New Old Stock).  The box was not in very good condition, it was falling apart, and had me worried.  The pen (and accompanying letter opener) were in perfect condition.  I was struck by the size of the pen.  It is Opera Master size, and as you can see below, that makes it on the "oversized" end of things.


I love the rose gold accents.  Sometimes, rose gold looks more brass than gold, but I think they did an excellent job here.  The letter opener matches very well.


Some of my Viscontis have poor lettering on the clip, This one had sharp lettering that stood out with even black filling.


It does have the "my pen" system, where you can replace the end bit on the pens, but they all have gold or silver accents and they just don't work as well as the one that came with it.  My one complaint, is that the magnet is very week on this one, and the logo seems to rotate every time I use it.

Like the other Opera Masters, it follows the squaring the circle concept.  It really does make for a comfortable pen, and a great looker.  I actually enjoy it more than the Waterman Exception.


The nib is lovely, and the writing experience was superb.  Visconti nibs run wet and wide.  This is no different.  I will say I prefer their gold nibs to their palladium nibs.


From left to right, Pelikan M805, Visconti Homo Sapiens London Fog, Noodler's Neponset, Visconti Australis, and MontBlanc 149.  It's a BIG pen.



In the Visconti line-up, it is the biggest among the popular ones.


Australis Opera Master on Top, Homo Sapiens in the Middle, Opera on the bottom.


In conclusion, I love the pen.  I have had it now for six months and it is almost always inked, with MontBlanc Lavender Purple. It is a big luxury pen, but it can be had for a decent price and it really does deliver.  I did not find it over-weight or over-sized in a bad way.  I do not post the cap when I use it, that would make it way to big.  There are other Opera Masters I would love to have, but if this is the only one I am every able to acquire, I will be content with it.