steps to have excel talk to Graph API

Here are the steps to talk to the AAD graph API using excel 2013 and power query. The steps are similar to those used when talking to the supported odata feed of the CRM Online service. A workaround is given that makes excel talk to the graphAPI.

 

1. open an excel workbook and activate the power query ribbon. Select an odata feed:

image

 

2. Supply the Graph API URI

From http://msdn.microsoft.com/en-us/library/azure/jj126255.asp

in my case the value is

https://graph.windows.net/rapmlsqa.com/users?api-version=2013-04-05

image

 

3. Focus on users

you must select the user form of the URI (and the organizational id option)

image

 

4. Sign in and STAY SIGNED IN

image

image

 

4.save the credential set

image

choosing the users option, and “save”.

 

One then sees what feels like a bug – where upon one must save again. Note a specific workaround is required. You MUST save again, now as anonymous.

image

 

the net result is a query resolution:

image

Posted in odata

using excel powerquery to talk to CRM odata service (with sso/oauth, etc)

 

 

image

image

one sees a sensible Fiddler trace.

image

image

 

one sees the final phases of the oauth2 handshake with an AS augmented with the ability to do websso with an IDP. One sees several calls to the services of the odata source, each of each of which have an authorization header in the HTTP request, populated with the access token obtained form the oauth2 handshakes.

 

I think Ive also learned the right mental model, for the credentials (and stored tokens) associated with any given data source. One can regenerate the access tokens, per source.

 

image

 

in our trial, we simply signed in as a different Netmagic user – i.e. different CRM netmagic-linked user.

image

Posted in odata

accessing CRM online, using AAD tenant discovery

Let’s build the modern/mobile odata application that talks to the CRM online service that we provisioned in the Microsoft Azure cloud, for some Rapattoni netmagic users. Lets see how it works when the client cooperates with the oauth2 endpoints of AAD/netmagic to obtain access and refresh tokens;  and how the client populates the access tokens into odata requests:

 

image

From the CRM 2013 SDK

 

Once we register our new windows 8 “native application” in Azure AD, the windows 8 application acts conventionally:

 

image

 

We note the code that precedes this invocation of the oauth2 handshake. It learns the tenant name and address of the associated the oauth2 server …from a discovery request. The return of an enhanced www-authorization header (of authority_uri) occurs only when one adds a particular relevant query string (SDKClientVersion=X), with suitable values. That is, clients must “opt in” to the practice.

 

image

 

private const string _clientID = “d00b06a7-4dbb-4eab-bb59-8d63a4783d36″;
public const string CrmServiceUrl = “https://netmagic.crm.dynamics.com/”; 

 

We see the request for discovery and then for odata recovery of an account entity set.

image    

 

image

 

image

Posted in odata

scanning commodity crypto chips–using enhanced MRI

Im not really sure WHY its viewed as SUCH a secret, but, from the stasi-sideeffect I experienced yesterday, the empire is inclined to hit back – over the MRI article.

 

So much for American freedoms of speech. SO much for the exceptionals (who act more like the typical nazi, once the defense of exceptionalism becomes paramount).

 

The typical crypto chip is rather amenable, by design, to MRI scanning – at a discrete level of analysis that may not quite seem plausible. But THAT it IS POSSIBLE is the secret (not that folks are scanning the electrons wandering across silicon gates, in order to subvert the vacuous, marketing-grade FIPS 140-1- boundary). We all know the americans have rigged the chips. The ONLY secret is how cheap it is!

The original motivation for my missive was the pain in my back – which rapidly became a pain in the ass.

Posted in rant

excel consuming Microsoft Graph API, with JWT

We were able to use the power query add in to Excel 2013 to interact with the graph API of AAD:

 

http://msdn.microsoft.com/en-us/library/azure/jj126255.aspx

 

image

https://graph.windows.net/netmagic.onmicrosoft.com/Users?api-version=2013-04-05

We had several issues, however, with the organizational id flow. I’m not quite sure how I got around some bugs, but I evidently did:

 

image

image

Posted in odata

excel visualization of odata source, supported by AAD websso

Using our sharepoint license associated with an office 365 plan, we created a site (bi, for business intelligence) and on that site a list (a business intelligence list of 3 text records):

 

image

https://netmagic.sharepoint.com/bi/_layouts/15/start.aspx#/Lists/bilist/AllItems.aspx

https://netmagic.sharepoint.com/bi/

https://netmagic.sharepoint.com/bi/_vti_bin/ListData.svc

we want to now talk to this list of records using odata. So we launch excel and powerquery:

 

image

image

we note the opportunity to use the websso login:

 

image

image

Selecting the odata service URI ,we get an enumeration of entity sets, including our bilist

image

image

 

We get back a record set, after querying:

image

image

 

lets refresh the query, having activated fiddler to spy on the  wire:

image

image

image

 

in terms of authentication, we see that the odata queries are supported by cookies. That is one does signin using the powerquery tool (using oauth, and ws-federation), in order to get a pretty classical WIF session cookie (fedauth):

image

image

Above, we see the sharepoint users (linked up to AAD managed users)

Posted in odata

NSA got into my MRI scanner…

The hardest part of  looking at the MRI of my back was finding a PC with a cdrom reader!

Then we find that NSA got to it, first (the MRI machine, that is).

 

WIN_20140812_202655

 

 

we should actually thank NSA and the whole optical spying process for having created the computing power and algorithms that induced such (obviously useful) spinoffs. Remember what MRI does – enabling advanced slicing images to be built back into a viable image suitable for human (diagnosis).).

Posted in dunno

diffusing concentrations of probability; oracles based on superposition encodings

We can compare the argument for introducing an ‘oracle’ – that hides the names of the edge/color labels used by one binary tree from the other…

 

image

image

image

 

image

with the intuition given for how the zig-zag product creates rotation algebras that quickly mix a vector into the uniform distribution:

 

image

 

image

http://www.math.ias.edu/~avi/PUBLICATIONS/ReingoldVaWi2000.pdf

 

 

The latter paper goes to describe how to construct the large graph and why it works – to redistribute concentrations of probability:

image

Posted in crypto

Zigzag versus fano plane

On reading how the zigzag graph works, I found myself applying the ideas to turing’s use of the fano plane.

The point to observe is that the fano plane is a set of design blocks: with the 3 point of each line logically affiliated with an opposite point (on the unit circle). One should think of each as a cloud, having a particular conditional distribution with respect the graph as a whole. It’s the zig (or the zag).

Now the point about zigzag is that the semi direct product generates an averaging process that diminish certain vector lengths – those vectors that are, specifically orthogonal to the constant functions in the space. The proportion of diminishing is a function of the spectral gap of the character function.

The nearest neighbors are clouds, that is. Or they ‘re the set of blocks, equivalently.

So what is the hyphen function of zigzag, in the fano plane?

It’s the unit circle, and its permutation centric automorphisms acting as a transducer of entropy induced by the zig, or an entropy generator should the zig have contributed none.

In geometric terms, folks are reducing the angle between the constant function and those vectors in that special space to which the averaging process uniquely applies. What the zag does is renormalize and recentralize that space (so it’s orthogonal again, in the new norm now) ready for the next round.

Thus you see how the  conditional probabilities are transformed.

For the first time I think we understand the 1950s response to the attacks mounted against tunny and purple.

Posted in coding theory

Links between defcon and us military complex

Defcon used to be about naughty hackers (often in trouble). There was a pseudo political agenda.

Looking through speaker list, one sees how most of those doing the speaking and leading of opinion are very much part of the US military-influenced mainstream. That is, we are dealing with folks who are fully indoctrinated.

As a sideline hobby, they hack (for fun, as hobbyists). This seems little more than folks learning techie tools and then showing off technical knowhow.

What you don’t hear is any subversive tone (or even any rebelliousness, even). There is very little dissent from the mainstream.

Posted in coding theory

defcon and animal farm–the morality play

Before Zimmerman delivered his business plan (and rant about his warning on how compromise of a CA/PKI failed to prevent someone spying on everyone in Iran (and America)) some other defcon older type sold his book on UFOs theory, and the giant conspiracy of NSA, CIA and James Bond.

 

Defcon has its major bash tonight, the party that it once WAS. Now its just a business, flogging tawrdy security to folks whose livelihoods depend on keeping well IN STEP with corporate culture (which is a kow tow culture of subservience to NSA, etc).

While I won’t deny anyone their rights to their party week, it is sad to see defcon become a goon show.

In animal farm, the giant CIA movie plot apparently, the dogs get nasty. Which is what Im seeing of defcon culture, as it self-protects (its nice little money making venture).

 

So far there is no Snowden (other than using the theme to sell something). Which tells you what we all know – that the typically means BY WHICH NSA infiltrates the corporate world is , ahem, by using or abusing the very people attending defcon.

 

What worse, those folks are in abject denial (or perhaps its all a giant covert op, by ex military types beholden to the exceptional nation status) that this is ALL their industry really is FOR.

Posted in rant

using AAD graph API to create federated user (or provision one, more formally)

Sample code for openid connect protocol and the graph API can be found, today, at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet.

image

Having configured this webapplication per the instructions, for our rapmlsqa.com tenant, on one screen we see the UI by using which one creates a user in the directory.

image

http://reso-odatapoc.azurewebsites.net/Users/Create

Using the creation tool lets us see what passes on the wire:

image

we are unable, however, to find which parameters one must pass using this API when we want creation of a “federated” user. So far, we have created only “managed” users – who do not have federated status, by definition.

Spying on powershell commandlets gives us a glimpse however, of the semantic rules concerning federated user creation. Though the service uses a different and non-RESTful protocol, we can see the type of information to be passed during “provisioning

image

        image

OK. so it turns out to be simple:

image

add the immutableID to the binding list, and amend the form to expose the immutableid label and field editor:

image

Then we can create and list users created in certified domains:

image

image

This gets us to proving it works… with our IDP:

image

Posted in AAD

objecting to the club vs NSA analogy; using my CISSP knowhow in ape culture

Somebody found a reason to object to the “writing” of my last missive since it portrayed NSA as a stone age clubber defeating the electronic crypto lock on my front door – by battering down the casing. The objection was founded in the analogy’s inappropriateness – since NSA would not want to show itself to have subverted the lock, as would be rather evident should the analogy be valid.

You have to remember that my apes are American apes. And from what I learned at the RSA Conference, last year, as part of my CISSP re-education camp program, was that there are 3 types of monkeys (in Bali, or elsewhere). The first group are cuddly (like the guys who were first sent to work over the OpenID Foundation); working your over with affection so you happily hand over half of your bananas. The second group mug you for the remaining half, leaving you feeling somewhat used (like the “former government contractors” who somehow always turn up in Google /Microsoft standards forums, with a snarl and a growl). The third group are the intelligent apes, working with the human banana salesman (now that you have no bananas left, after the mugging). These guys use intelligence, scouts, environment funneling and have a certain ape psychology base din the “mutual understanding” between master human, ape and us that if they hound you (think Verizon, Google, BT) by perhaps stealing your wife’s scrunchie from her hair, you will buy some more bananas and negotiate for return of the “emotional attachment item” – to use an Americanism.

So where is NSA? in that story?

NSA is the human signaling to the intelligent apes on who to target, how to hound, and when to return the object given the purchase of a suitable number of additional bananas. The monkeys, typically IETF types, have long learned the signal craft, knowing that even if the target walks off with most of the bananas, the salesman will provide the ape’s real cut (later). its not the apes role to negotiate, only hound and be the front man.

So getting back to my front door, how does the missive end, properly? assuming it’s a standard piece of American writing?

Well I would have to agree that NSA, as a covert operator, would not seem to be properly represented as he who leaves a trail of smashed casings. But then with Verizon and google and others showing that the front doors to our internet portals ARE smashed, thanks to subversion of their clumsy “legal locks” that don’t work, perhaps when we regard NSA as the intelligent monkey minder, we see that in fact the casing analogy was fine all along.

Surely, that was worth an ISC2 CPE, for sheer invention and consideration – particularly since I got 2 of them for listening to some 70 year geezer show a video about his wonderful office staff, while drinking beer. Ah, but then the CISSP head honcho is the true NSA operator serving beer, in order to subvert a mass audience of opinion makers belonging to the real “club”.

Posted in rant

cryptographic games–China vs US- removing the UK’s game rules

image

http://www.cnet.com/news/china-lashes-out-at-google-apple-for-allegedly-stealing-state-secrets/

China would be well advised to consider the relevance of the “playing ball” phrasing.

Any good politician talks through both sides of her mouth – letting two audiences hear what they wish, from the same words. Google play ball, with words.

To Google, as any American firm, this “is” a game (to be won and lost, and competed over). It has to kept as a “game” since there IS no simple political solution. Being upbeat Americans, they get to choose between a mindless, senseless and failure-inducing world … or a game ( in which perhaps politics keeps the ball at least rolling).

Of course, google know that the standards groups are rigged. They know that the IESG might as well be made up of US officials, beholden to the american dogma. Of course they know that policies, practices and standards are are set to meet the commodity market (not the state-secrets market). And that this means that the security works ONLY in the areas its supposed to work (and not in areas “ out of scope”).

According to the American game, that both Google and Microsoft play well, the game rules are set so as to keep anything of much importance in the “out of scope” space – where normal spying techniques work.

Where China vs US seems to be enabling a solid China win is in the area of vendors, e.g. Google, who look increasingly shrill – as they attempt to deny the nature of the game – and their own political doublespeak. Yes there is NO backdoor to my electronic house locks (and no agreement with the local police to allow covert entry, with special lock codes); but two decent sledgehammers blows to the *casing* of any common, wooden house door make it “unnecessary to pick the lock”. The lock resists penetration by Harvard crypto scientists for 2h! (says the google security marketing). It’s just “not google’s problem” that the casing resists for 20s, only, to apes wielding  stone-age clubs.

And so it is with Google and Microsoft Crypto.

Both firms know precisely how to sledgehammer areas of their product other than crypto, making the crypto ineffective. And of course, they spend large amounts of money, in marketing UK-style deceive-and-deflect security standards , ensuring that “those areas” are “out of scope” in the “mind” of the public.

Posted in rant

math and cryptanalysis–some notes

three observations about math and crypto.

 

1. Quaternion “Algebras”

Its fun to look at quaternions as a special kind of polynomial sum, with terms weighted as is usual. Then, its interesting to see how to abstract H, the quaternions, in quaternion algebras – for different basis sets.

In light of how the theory of albelianization of streams, one can feel, quite intuitively, just how this is so crucial to even modern cryptanalysis.

 

image

image

image

http://www.maths.tcd.ie/pub/ims/bull57/S5701.pdf

 

The main point is that F can be anything (including huge number systems) good for cryptanalytical discriminant finding.

 

2. Wave “functions”

image

https://www.youtube.com/watch?v=8mi0PoPvLvs#t=1128

Also fun to review even the basics of quantum mechanics, so well reviewed by Susskind.

He was able to put succinctly how a wave function is just a function of x (just as the are the functions we all learn about, aged 12). Its just that the calculation formulation for that function is an inner product, where x varies (just as it does in the functions we all…).

What he doesn’t do well is just say what Turing said: a wave function is just an array of proportions!

 

3. hyperbolic geometries and generating algebras

 

its from hyperbolic geometry that we can a glimpse of how Turing saw quantum modeling and simulation AT AN INTUITIVE level.  IN particular, in his on permutations paper, we say how he leveraged just 2 and 3 (2 steps between 3 points) to create normed spaces (of 6 elements); then argued how energy functions (i.e. Hamiltonians evolving the energy component of quantum systems over time ) can be represented simply in terms of permutation groups, leveraging the projection of those functions in a hyperbolic geometry onto a projective plane that supports calculation in terms of long expressions of (ordered) swaps, using just the Newman’s core topological knowledge in foundational groups and homotopic equivalence.

 

We got to see how conjugation in a hyperbolic geometry is the reflection operation (when the geometry is the interior, or inner space, of the unit circle). Similarly, we got to see how external point relate to the circle too, and how this quickly gets us not only to the notion of duality but to external product space where constraints between two intertwined systems create a hilbert space where quadratures and spreads are preserved; and in which one can do quantum calculations using only proportions.

Posted in crypto

developing cryptographic intuitions for quantum era

we learned from the description of the us 1945 5205 cryptographic process how, despite all its engineering complexity, the machine counted how many time certain (high scoring, distinguishing) characters appeared in a tunny stream. for example, compute chi (5bits) xor ‘e’ (5 bits). now count the hits in cipher. e will have less uncertainty than it would have, were its to be found in a random cipher stream.

 

we have seen that, in quantum mechanics, a inner product is, on the one hand, a measure of the distinguishability of two states, and  ‘the value e’  on the other. Should one score ‘e’, its a measure of the transition probability. perhaps e is just a representative of its weight class, and perhaps one goes about counting any distinction equivalent to a weight difference.

Posted in crypto

Realty ws-trust IDP interworking with AAD token issuer, in saml bearer grant

image

 

Using fiddler proxy, we were able to craft delivery of custom metadata from our IDP whose endpoint addresses now meets the expectations of the Micosoft ADAL libraries saml-bearer grant flow.

 

The only code change we made to this service was  add a nameid format property to the subject field (of value unspecified). But, Im really not convinved that that has anything to do with sudden interoperability. Making our active and passive STS have configurable values for that property doesn’t seem particularly useful, though is vaguely more correct.

Posted in AAD

cimba.co

 

signup using chrome (not IE) to get a (windows) cert

 

image

image

create microblog and channel, and first post.

 

in IE metro mode, note how to login to site

 

image

 

image

 

after a second prompt to select the cert, we do get a modern UI

 

image

 

not succesful on windows phone 8.1, having loaded up certs/keys, etc; probably as the TLS handshake doesn’t validly induce certificate selector. Too many assumptions being made in cert naming, no doubt.

Posted in webid

k-order propagation in hyperbolic reasoning calculation spaces

image

image

 

if we think in terms of Wildberger’s universal hyberbolic geometry, the case for defenses against linear cryptanalysis is one of ensuring that a wheel of points is assumed to have to each point a binary value and one looks back from the current pointer sufficient pads to get the components of the codeword, that has the requisite number of hamming bits. IN the case of differential cryptanalysis, one looks back enough component terms so one has k supports

Posted in crypto

hamming weights, correlation immunity, proportional bulge algebras

 

 

image

Correlation of Boolean Functions – MIT – Massachusetts Institute

 

 

the original conception of golomb is far more intuitive than others, particularly when taking into consideration

 

image

https://www.youtube.com/watch?v=PSFr6_EhchI#t=1222

this guy does a great job of reasoning much like Turing and co reasoned in 1943, using ratios in a hyperbolic computation graph space that reasons with correlations (contrasting null points on the distinguished circle – like enigma rotor points – with points on the overlying triangle – which represent non-unitary correlations linking plaintext to ciphertext).

 

now it becomes very obvious why Turing, in On permutations,  is so adamant to set the mean of vector length to be 1. He is entirely reasoning in proportions.

It will be fun to see if Wildberger can get us all the way from here – at as he says the elementary stuff that is key to “thinking differet” – to fourier transforms computed in proportional algebras.

We know folks in the cryptanalytical attack on Tunny made exactly that leap.

Posted in crypto

Microsoft Azure blog and AAD

image

 

you cannot comment on the microsoft azure blog using a live id OR an organizationalID.

 

you have to wonder what goes on in mind of some folks. Or perhaps comments are just a throwaway that noone really wants – but have to be seen to provide.

Posted in AAD

wordpress and SSO culture; letting google eliminate Trulia

It’s been a while since I analyzed wordpress.com – looking at how it has taken up or set a trend.

image

 

we see that the MISSION of a google enabling SSO to the site is so that it can sell linking services – indirectly. Google wishes to be in the enforcement bisiness – selling visibility of your linking circles. To this end, it wants you (and your wordpress site) to have API credentials back on the IDP ‘’s ports, so that your (or your site) can exploit the linking APIs to publish references.

it is interesting to see JUSTS HOW EFFECTIVELY wordpress were able to showcase the real driver behind oauth (for websites). Whereas Microsoft Graph API concept is very much about personalizing a site, for Google the equivalent service is all about outsourcing lead generation, where each circle is a targeted marketing group for corporations.

At the same time, Google, I totally get it. I could easily sell this concept to realtors (as one example of a lead-generation based industry). Google could then easily attack Trulia with this.

So, if I want to defeat Trulia and its attack on the establishment MLS world, perhaps all I have to do is release the Google Krakon, letting realtors individually use their google circles to do the same lead marketing that Trulia wants to outsource. Rather than give Google streams of MLS listings, we just grant API access…

Then amplify the attack, by allowing linked in to do the same… enabling of them to showcase how little Trulia is doing (that folks cannot get for free).

Posted in RETS

defcon money-making non-romp, avoiding discussing of internal subversion by NSA et al

http://defcon.org/html/defcon-22/dc-22-schedule.html

One thing the US govt gave up on, a few years ago, was using the CISSP program to “embed” trusted souls in the heart of corporate america – as it moved to the internet and away from private circuits. These were the folks who were to lead the production of a local capability to “rewrite” communications systems, on demand. Born as the pre-cursor to mandatory wiretapping capabilities in technology, this was the response to the “gap”. The gap is filled by people, indoctrinated and educated to deceive on who is the paymaster. The pay comes in the “accession” to certain committees (with stipends and travel budgets, etc), or “job mobility”.

This didn’t work too well, long term (for reasons I can explain to those with CISSPs or equivalent). Though it did fill the gap in 1996 era, when it was “most needed”.

Its replacement was the pentester – the creation of an entire “independently minded” group of folks with intimate knowledge of the vulnerabilities of corporate systems.

Such as defcon are breeding grounds for the “culture” of pen testers whose ultimate paymaster is not the client but those with a desire to covertly subvert corporate systems, having got an insiders view (from the pentester’s work).

Defcon is a good business for its founder; and one notes now how little dissent is tolerate in its papers and format. Dissent that notes how defcon culture itself is subverted, is entirely vulnerable, and has infact been wholly penetrated is NOT ALLOWED.

Once upon a time defcon could enjoy a good public rant (and enjoy a good humiliation-inducing ribbing (drubbing in English English) of folks such as me who would come down and say the above). But no more. Its too frightened. Not even the fake beer works, any more. The chains of chinese girls being paraded and then farmed out to the elite hackers are to be no more (not being able to get visas, thanks to China/US cyber spat going *too* public).

The little side “contract” from “certain US agencies” ( a favorite phrase on the defcon cognisenti as they do they james bond impression) is at risk. And that’s my new lexus car payment (says the defcon subverted).

So now someone will hack my American password (which will take about 14s, since its made and protected using American technology) on wordpress, and put up a purile pawning statement. We are SO GOOD! What we wont show is how to do it in 2s (if only you had lots more computers, assuming defcon technical types could network their brains together to actually cooperate against the “interna” threat).

I wonder if General Keith will be paid to do a walk-on, to help his retirement fund get to a 100 million?

Wonder if stories about my own “sexual urges” are to be given a public work over, and whether we can see who lies behind the “initiative”” as we see the “raw” face of pen testing culture come to the fore. bet we don’t see any papers at defcon at the links between the participants and those who “hold the little black books” on all of us.

Posted in rant

a ws-trust IDP emulating ADFS for use with AAD oauth bearer grant

 

 

https://onedrive.live.com/redir?resid=5061D4609325B60!10733&authkey=!AD_ZOBRkh010sdo&ithint=file%2c.zip

Posted in AAD

align AAD with ADFS rapmls.info

$msolcred = Get-Credential -UserName admin@netmagic.onmicrosoft.com  -Message “password for netmagic is FRED!”
Connect-MsolService -Credential $msolcred -ErrorAction Stop

$cert = “MIIC5jCCAc6gAwIBAgIQELcx5ZetWLxLu947oG+anjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBwZXRlcnZtMzIucmFwbWxzLmluZm8wHhcNMTQwNzAyMTg0NTIwWhcNMTUwNzAyMTg0NTIwWjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBwZXRlcnZtMzIucmFwbWxzLmluZm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlrHS0Y6LIak6OFJulzl0EWAm/1CZbBTnGuh+geRt/Wllegtwfl7b+v8irjyDYeB59q0SlLb58H0Q4j5iYzDiuyXUwwNioTv4DKmDPsUQV3nbmV7HUqG0Ddc68Y46VRiLTN914QqKxgtaxLXx1qtxhOrrjlEGgyfpk4hDJv7njsCkI3YxBhBpNYdOQI23EX/LUP0Y2UiUdPlxueAqcoN0syR6WArBaVHARa35zJABevjm5jM9Qh8LiD+E3IhXjfMisi7xYYHiq3IogLZDg+y6hx4Nu/xpHuWHYqa+yNeB9GLjKrFpkK9xcWjMZkxeZ14Rd7GbhG7dGquRQIFomvdf1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAI/tJE+eFaFA7GsMYRzMWP2BiNY2MyaJfErSovq9IuvrQ7iqitJUkbCHcEjxhd2VmSo/EC+56feoyaoowwgq5q2qBA8oWg7LOg0UIP1EWCbeWbM6u3asU0rnyD6QD1RWjSkDI6G0G3NffbTPPjnOqAl99ZO1SYA50nwbM85dubHvMU2R1beFw1VXXVYjtyFft7c0Ksrg15jpYhQqKSjKkez/tGv9YIkt1mOHcJSO2QKuv/vyQjrqMM/bwxIet+hJ095RjoxaVnboWNZN2DHB/DVP0hBZlKkBOYRabJm6tWQMuxSzc4wqog1YYN5judGiORmaNJq5danHw98Sia7DLP4=”;

Set-MsolDomainFederationSettings -DomainName rapmls.info -SigningCertificate $cert

Get-MsolDomainFederationSettings -DomainName rapmls.info

$localhostcert = “MIIB0TCCATqgAwIBAgIQMB03MGH0sZRBtyF2QpuRSzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwNzExMTgyNTIwWhcNMTkwNzExMDAwMDAwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANxvf+N7ApYPEIZKB4yGbZTdN9vPz112Y19/rnZKrPbswvaS+4fJLrFEDTowbHCULo9QfCZLtKxGlnBxw+huZV6NWYlqfmauX9h2nW+j5yA8bqXgi3bmuwOgUgzceqx7Hpn/TnX2p2NNu/aRodb8pCyCl42hoA5ZYll9zscVQLeBAgMBAAGjJDAiMAsGA1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQAQhBKsWjhrjGMO563Alqh7UJo8M57Qjgej0P43LdeEUDiNa+HBo1tRr6BIxoWpAlxOXOCAF7G7yvrSb5MTZ5Oxn846cKGeZUP7aexpP//TOi3buiGR5dUsxaAn0BBPHDPsb2x3RoQHyW96eyhdAq4aI/Y01SqCTakZnztXjKI2IQ==”;

Set-MsolDomainFederationSettings -DomainName rapmls.info -SigningCertificate $localhostcert

Get-MsolDomainFederationSettings -DomainName rapmls.info

Posted in AAD

Torshioning – and On Permutations from Turing

While playing Norman Wildberger’s second video lecture on the “fundamental group” I heard material I have never addressed before – despite it being 20 years after I got Cameron’s course for computer scientists on fields, rings, groups, etc. It’s just fascinating to see/hear the geometric angle. This would make a far better second year engineer-math component of a science degree than the typically awfully taught linear algebra course.

image

https://www.youtube.com/watch?v=E6f3I-RiWbk&feature=player_detailpage#t=1503

Its just fascinating to see Wildburger after touching on multiplication and inverses apply the technique to the abstract torus – where there are 2 dimensions/generators to the (constant) loop.

image

https://www.youtube.com/watch?v=E6f3I-RiWbk&feature=player_detailpage#t=1503

At this point we start to think more about Turing’s On Permutation’s model – having seen that Turing has simply added another geometry to those that Wildberger gives as examples.

image

https://www.youtube.com/watch?v=E6f3I-RiWbk&feature=player_detailpage#t=1503

The theory gives us some quite “involved” modeling terms to work with commutativity, powers of path-functions, commutators and sets of generators on a particular surface (that constrains loops).

We even see something clearly modeled (algebraically by Turing) in the use of the projective plane as the base space for a covering domain argument. This addresses the special case in which powers of a generator can only equal the identity term.

image

https://www.youtube.com/watch?v=E6f3I-RiWbk&feature=player_detailpage#t=1503

The course element has given us several examples of “torshioning” (contraction).

We should remember, now, that Turing’s main point in his manuscript was that certain wiring plans for the Turing bombe drums produce a surface and a supporting algebra (and yes a unwanted bombe in 1950 would be allowing him to several wheels in series!). The U terms play the role of Alpha (to some power). Of course, the symbol of “U to some power” can be expanded as the U wheel being rotated foreward or backward by the power – as in setting an enigma box – such that alphabets of two wheels conjugate.

When a set of such rotated wheels have powers that sum to zero, we have the commuting “normal” case of course. When such powers sum to zero, we see also that we have the “definition” of the abstract cycle (vs a not-cycle that is)– as thought in the world of higher-dimensional homotopic spaces.

Posted in enigma

uk university prototypes for NSA university courses (in cyberwar)

http://www.cnet.com/news/nsa-recruits-college-students-for-cyber-operations-program/

So UCL-CS, one of the foremost internet colleges in the UK, with about as fine an internet pedigree as it gets, is now at the (semi-secret) forefront of interfacing academia to GCHQ. This both hurts and instills pride in me (since I worked there, and know lots of the folks now “fully involved”). I have to admit that I did something similar while working at UCL-CS (taking cash in my salary from the UK DERA agency, as it continued its ongoing (from 1940+) campaign to out do its sister agency – GCHQ – by doing things THAT ACTUALLY WORK, when spending “strategic funds”).In may case those funds sought to continue a world of ‘commodity crypto””’ and secure PEM/S-MIME email – that class of deployment that doesn’t really work but helps educate.

So, without naming names or department heads, we can look at the structure – and see from it just “what is wanted”. We can assume US universities, but NOT those already hosting schools that are just funded-proxies for certain agencies, will go the same way.

First, beyond the CS dept UCL happened to already have a police forensics-related department, long involved in the “science” of producing reliable reports. Think of it as a training ground for folks who will start in the CIS program. This department brings into the leadership group a hard core, fully indoctrinated scientist – who asks no moral questions (of himself) while imputing all manner of stuff about anyone else.

Second, UCL also happened to have long term affiliations with the US DARPA program – the intent to use intelligent routing and the like to keep the US ahead of the next sputnik. This program is is a gross deception (aiming to ensure theoretical national regulation boundaries on where data is present, when captured, are trivially subverted, on formal grounds). You subvert the foreign router so the packets are on US soil…

Third, UCL also happened to have certain individuals who belong to a certain elite club of early computer scientists who were part of the US/UK liason world, in the 1950s. This was a continuation of the successful, if only half intended, liason in crypto world of the 1930s based on, from the UK, the exchange of Wylie and Turing to Princeton. this is part of the oh so english “old boy club” whose clubby rules transferred easily into the spooky world. One sees this tradition continuing, with UCL folks being given access to certain American forums – that special US/UK relationship.

Back to what apparently it is that GCHQ want …from  a “cyber center of excellence” (some mish mash of senior academics from various cooperating departments”) we can list:

1. psychologists (like those who have produced classical work that has already shown up in leaked GCHQ documents that aim to subvert the internet, from “within the mind”). This is a mix of indoctrination of the elite (a little like the boyhood to manhood training in he Hitler Youth “thinking”, in 1930s Europe) and to “engage” in an out-thinking war (with the targets).

2. folks good at phone (in)security, and SIP in particular. This has to focus on putting power into american institutions (vs international forums).

3. folks who are good at academic-math-crypto (vs crypto/cipher design); producing prestige and wide ranging summarization abilities to track overall trends of knowhow and capability dissemination

4. how to leverage routing protocols to bias the “flows” of data in different types of network conditions (including wars).

5. how to indoctrinate folks passing through general engineering school programs so that their expectations of what can and should be achieved with commodity “security designs” is quite limited – to only the classical orange book features. This is the Victorian attitude of don’t educate the working class (since they might get expectations…); or the american race-hating program of don’t educate the “backward” black man (lest he vote).

Above all, the “cyber center of excellence” must be willing to “project the story” – and refuse to talk to the likes of me who speak up (else lose funding that defines one’s “professorship”). in the GCHQ (vs the DRA) culture, one has to find me and my kind embarrassing; and expect folks to use all the “high-educated” techniques to “mis-characterize” the very class of thinking that I represent. One has to think here, of Franco (in 1970, as he aged) or the English (failed) attempts to subvert Leninism in the 1920s, through an early “information war” campaign.

I find it quite amazing JUST HOW effective GCHQ indoctrination of the folks I once knew has been, and how little time it took to pervert academic liberalism and produce not one but several tinpot strutters (with mouths willing to spit venom, when noone things they are being overheard and reported on). All to keep a few dollars flowing!

But this is GCHQ at heart – an organization that relies on the manufacture of social discord to keep its little windows open.

Posted in rant

GCHQ manipulating wordpress site statistics

I’ve half-expected GCHQ to have been manipulating my wordpress site’s apparent statistics for a couple of years now (as I drivel on half-assed – but pointedly so – about crypto). Looking at the stats each day, there were just too many patterns about which articles garnered interest. It was LIKE someone was trying to engage in 1930-style impression management- but ended up looking like (and having the negative association of) Dr. Goebels.

http://cryptome.org/2014/07/nsa-jtrigall-intercept-14-0714.pdf

I would not be in the least surprised to find that my site strangely partly visible otherwise “disadvantaged” , outside the US. At the same time, I have to say: WHY would one go to the trouble (since its mostly drivel)?

The point is that those who can, do. They feel entitled. The American version even feels exceptional (furthermore). Between them, they get the “masters of the universe” complex.  the information war (against any dissent) has to perpetuate – to keep the spooky fix’s high coursing through the veins of the indoctrinated.

It’s a social disease; and one that spread quickly to product managers of crypto-stuff in the cloud vendor community.

in my case, folks just want to “put me in my place” (some lower than low, english class, in that social  system that doesn’t exist…).

Posted in dunno

adfs v3 configuration for asp.net application

using visual studio 2013 pro, update 2, we used the c# asp.net wizard to make a sso-enabled project, which at project creation time we configured as shown next:

image

This app is hosted on the IIS express service of the same windows host running ADFS v3.

image

Above, we show how we configured the RP – at the IDP.  one MUST take the option and turn ON ws-fed and one MUST enter the RP site’s ACS endpoint.

image

To make windows integration authentication actually work, we had to turn on forms authentication,  for all RPs, as show above. I suspect this just rests the service somehow.

This gives us confidence that ADFS is setup now to be a simple IDP for the (not public) rapmls.info domain.

image

Now, to ensure this IDP is setup properly to cooperate with the FP relay at microsoftonline, we make the organizationid variant of the same project

image

image

 

At this point, we have lots of  confidence that our ADFS is working well and cooperates well with a MicrosoftOnline STS/FP to land on a registered application of the domain (and office.microsoft.com portal site, too, not shown).

this allows us to showcase that INDEED the IDP –> FP to saml bearer flow at the oauth endpoint, from the so-called headclass client use case, DOES work.

image

 

See https://onedrive.live.com/redir?resid=5061D4609325B60!10656&authkey=!AC_k8xmZ6kPpZXo&ithint=file%2c.saz for fiddler trace.

Posted in ADFS

MsolDomainFederationSettings

Set-MsolDomainFederationSettings -DomainName rapmlsqa.com -FederationBrandName rapmlsqa.com -ActiveLogOnUri https://ssoservices.rapmlsqa.com/Issuer.svc/Office365/OTHER/RAPA/8/BARS -IssuerUri http://ssoportal.rapmlsqa.com/spinitiatedssohandler.aspx/bars -PassiveLogOnUri https://ssoportal.rapmlsqa.com/spinitiatedssohandler.aspx/bars/8 -LogOffUri https://ssoportal.rapmlsqa.com/spinitiatedssohandler.aspx/bars/8

 

Set-MsolDomainFederationSettings -DomainName rapmls.info -FederationBrandName rapmls.info -ActiveLogOnUri https://petervm32.rapmls.info/adfs/services/trust/13/usernamemixed -IssuerUri http://petervm32.rapmls.info/adfs/services/trust -PassiveLogOnUri https://petervm32.rapmls.info/adfs/ls -LogOffUri https://petervm32.rapmls.info/adfs/ls -MetadataExchangeUri https://petervm32.rapmls.info/adfs/services/trust/mex

Posted in AAD