Rough several months. Of course that is only in perspective as “rough” is relative. I understand that there is homelessness, wars in different parts of the globe, folks not sure where the next meal will be coming from … I'm not ignoring their struggle and the difficulties they face, but luckily, that is currently not my day-to-day. In my bubble in this little corner of the world, it has been a summer filled with randomness that life continually surprised me with. The more energy I expended to add structure and lament the chaos, the more drained I felt, and the less impact I was making on the overall flow.
Take a typical, working person’s day. A routine day as we call it. Wake up, head to the gym for the usual workout. Afterwards, put in your eight or nine hour work day, with a brief lunch intermission somewhere in the middle of it. Have dinner with the family and then chill with a good book or turn it into a movie night. Go to bed and wake up the next day to do it all over again. Rinse and repeat.
From a distance, that is fairly routine, however, let’s dig down a bit as the devil is in the details.
Wake up at the annoying sound of the phone alarm. For that to happen, the phone must still be working and not out of battery or in some reboot loop due to hardware failure. You might already be awake because one of the dogs whined her way into your deep sleep at 4 am having eaten something on her walk earlier and is desperate to go out and fertilize the lawn with her diarrhea.
Step out of bed, and manage not step on one of the dog toys and twist an ankle or crash to the ground face first. Make your way to the bathroom for some deodorant, that you or your wife didn't forget to buy, and brush your teeth. Let the dogs out for their morning weed inspection and early morning fertilizing. Feed them, but of course, the food bin is empty and you have to grab a new bag from the storage closet. You then can not open the bag since the scissors are not in the drawer where they are supposed to be, because your child left them in the playroom for an arts and crafts project she was working on. Finagle your way around the bag without spilling half of it across the kitchen floor where it becomes a feeding frenzy.
With the dogs set having wolfed down close to half of the eighteen pound bag that you previously decorated the kitchen floor with, you put on some shoes and head to the gym only to discover that the garage door will not open. Click on the garage door remote, nothing. Step out of the car, and click on the wall mounted garage door controller, still nothing. Pull out your phone which may or may not have a battery charge left to see how to manually open the garage door. Perform the manual trick, pull the car out, and then while closing the door, notice a wet spot where the car was parked. Give it a pinky touch and a smell only to realize it is oil from the oil change that you got at the dealership the day before.
F*ck it!
Arrive at the gym, only to realize that you can't do your regular workout as there is a loud-ass class hogging the rowing machines. Plan B. Nope, that is not an option either. An out of order sign is hanging on that machine. Walk around aimlessly without looking like a creep and come up with an on-the-fly half-assed workout. Head back home with enough time for a shower and coffee before the daily standup.
Grind some fresh beans to feed to that fancy Espresso machine purchased several years back on a coffee high. A cacophony of sound that can easily wake up half the quiet suburban neighborhood, but unfortunately no drinkable output. Teased with the aroma without the pleasure of the gold-like liquid that few machines produce. No coffee. Not sure what the heck is going on, but no time to look into it now and end up settling for some instant coffee. Quick shower and try to join the Zoom call but the display on the laptop is still in deep sleep. No amount of yelling and keyboard banging is waking it up from its self-induced coma. Maybe it had enough. It has witnessed too much in its short lifespan. Decided to no longer be a silent witness. Switch to using the phone, but the WiFi is down, and seems that the cell service provider is experiencing a major outage. No Zoom and no way of communicating your absence. Finally, after about thirty minutes into the work day, one of the service providers is back online. You don't really care which one and the why as you just need to hop online and get some work done.
As soon as you reach some kinda flow, with the dogs taking their morning nap, and you actually have the context for the task that you need to work on, the lawn guy rings the bell. Chaos ensues with the dogs up and about trying to decipher who and what. Head downstairs only to find out that he's just informing you of their presence on the property. Useful and extremely pertinent information that is surely worth disrupting your state of focus that took a while to reach.
Head back to the office upstairs hoping to recapture that fleeting moment. Having settled into your chair, and regained that initial focus that allows you to think of reasonable solution to the work problem at hand, you are nudged by one of the dogs. Time for their pre-lunch walk. Extremely precise internal clock. Can probably replace NTP servers and sync up with the dogs instead. Convince yourself that after lunch things will be quiet. Head out for a walk with the dogs and lucky me, it is a pooping fest. On one occasion, while picking up poop, phone buzzes, you are distracted for a single moment, and accidentally your hand and/or leash mixes it up with some of the diarrhea. Wiping here and there, but all along you know u have poop on one if not both hands and potentially some on your clothes. Make it home managing not throw up, wash your hands thoroughly along with changing your clothes just in case. Feed the dogs and grab a bag of frozen fried rice only to realize that it expired a week ago. Sift through fridge to find something else that you can make real quick, but nothing's there. Back in the oil-leaking car. You have contacted the dealership and left a message, but haven't heard from them yet. It is lunch hour so sandwich place is moderately busy but seems manageable. Order and wait along with the 3-4 other folks, only to then realize that they have a huge catering order and they are short staffed. The grab ‘n go sandwich has now turned into a 10-15 minute ordeal.
Finally, get back home, eat the sandwich without tasting much of it and head back upstairs. As soon as I sit down, the phone rings. Scope the place out for any hidden cameras as the timing is freaking impeccable. Car dealership. Apologies and explanations ensue. Sending a tow truck in the afternoon to pick up the car as a precaution. Back to work. Ease into things, tow truck shows up. Deal with that.
I can keep going about how the rest of the day unfolded, but what’s the point. Most if not all the things mentioned took place, however I'm not that unlucky. They happened over a span of months and at odd times, however I came to a realization.
Routine is the exception!
All the systems, people, pets, processes in our life have to operate like clockwork to call it a ROUTNE day. In reality, it is truly exceptional when everything works flawlessly and we are in perfect harmony with it. Nothing routine about that. Once you break down the systems that you expect to function as designed in your daily routine, you end up realizing that routine is actually a miracle and is the exception and not the norm. Each entity, be it system, person, animal, process working exactly as it should. That's a celebration, and not a routine.
That IS a perfect day.
PySAML2 & CVE-2021-21239
Dealing with SAML this week and unrelated to the work I was doing in integrating an identity provider, I came across CVE-2021-2129. Started looking at some of our existing projects only to realize that one was using a vulnerable PySAML2 version. Hit the jackpot. Finally gonna show my coworkers that we need to be more vigilant. Head over to Pentesterlab as a proud subscriber as I remembered they had some SAML exercises and sure enough, they even had one for that exact CVE. Inching closer and closer. Armed with an understanding of where the weakness lies, test it out on the vulnerable version and of course there is more than meets the eye. Disappointment ensues despite having doubt lurking in the back of my mind as it felt too good to be true. Apparently the weakness is in a library (xmlsec1) that PySAML2 uses that allows one to intercept a SAML Response and if they so desire, modify the assertions along with the key and signature. The one big caveat that is not really mentioned is that if the assertions are encrypted, the weakness becomes difficult if not impossible to exploit.
Moral of the story, too many variables and thus one size usually does not fit all. Have to inspect things more closely and not take everything at face value. Learned a decent amount, but it is time consuming. Fun journey nonetheless as I was so hoping to make it happen, take a screenshot and send it to my coworker as proof of concept. Better luck next time.
Credit
Speaking of authentication and authorization, spent some time on Vittorio Bertocci’s book, OAuth2 and OpenID Connect: The Professional Guide. I enjoyed the flow and how things are explained.
The other tool that has been quite helpful in understanding SAML, has been ChatGPT. Find myself posing questions more frequently now and is slowly replacing my immediate reaction of heading over to google. At times, when the answer just does not sounds very logical to me, I do end up looking through google to or some books/docs to verify. Generally though, learning feels more efficient and interactive with ChatGPT and it has been a positive experience so far.
Impressions of American Hotels
On a non-tech related note, this was a fun read. Am tempted to get the book and check out other details about this Frenchman's trip.