• Origami

    I love origami and Haruki Nakamura is an astonishing mechanical origamist. I usually stuff my daughter’s Christmas stocking with Lego pieces but these origami craft kit from Nakamura will be a delight to have.

  • Next Life

    Neuralink is hiring and the Software Engineer, BCI Web Apps position sounds very interesting. I have some experience in the front and back end technologies and preferred qualifications listed but I don’t consider myself an expert. More of a jack of all trades but master of none.

    Multiple studies have found that a higher percentage of women and BIPOC candidates won’t apply if they don’t meet every listed qualification. Neuralink values candidates of all backgrounds. If you find yourself excited by our mission but you don’t check every box in the description, we encourage you to apply anyway!

    Neuralink

    If I was twenty years younger, I would be applying but I’m ready to take that trip to the Galapagos Islands and/or retire in Italy. Perhaps in the next life… Cheers!

  • Reptile Family

    Went to an amazing birthday party today for one of Naomi’s good friend. What a great experience put on by Reptile Family…. (except for the Madascar cockroaches)

  • One Day Soon…

    My friend’s dad’s home has the most amazing library with a secret access to an office. If this was my library, I’d never leave my home.

    I am the female version of Henry Bemis, who just wants time to read. I’d want this library in a Queen Anne:

    Escondido, CA 92025

    Nacogdoches, TX 75964

    Greeneville, TN 37745

    Mooresville, NC 28115

    Or a dreamy Italian town that will pay you €30,000 to relocate there:

  • Twitter Fact Checking

    I don’t recall joining Twitter. Apparently, I joined back in 2011. With Elon Musk’s acquisition, I thought I’d check Twitter out. I signed on right during the implosion of FTX …. in real time. I don’t think I slept a wink.

    Recently, I saw this “opinion” piece regarding FTX by a WSJ writer.

    From someone who has been following this story for the last several days, I neither agreed with the opinion nor understood how one came to that conclusion — nor how it relates to Donald Trump.

    Earlier in the week, I had read a tweet from @carjackmiller regarding a feature (Birdwatch) that allows users to add missing context to viral tweets and/or rate if the missing context was helpful or not. I really liked this fact checking model (Elon renamed it to “Community Notes”). What caught my eye was that this approach was inspired by a platform called Polis. Polis was used in Taiwan to crowdsource creation of new laws.

    As the debate began, Polis drew a map showing all the different knots of agreement and dissent as they emerged. As people expressed their views, rather than serving up the comments that were the most divisive, it gave the most visibility to those finding consensus – consensus across not just their own little huddle of ideological fellow-travellers, but the other huddles, too. Divisive statements, trolling, provocation – you simply couldn’t see these

    Taiwan? I just bought stocks in TSM – Taiwan Semiconductor Manufacturing (on a rumor that they were opening a plant in Arizona and that Apple will buy US-made chips from TSMC). Baader-Meinhof (frequency illusion) – when the thing you recently discovered is suddenly everywhere.

    Back to original thought – when I came across the WSJ opinion piece and clicked on the tweet, guess what I saw?

    My first example of community notes! Of course it was helpful!

  • BRICS and mortar

    Mental note to read up on later:

    BRICS want to replace the USD. What does that mean? How does it work?

    The BRICS “de-dollarization coalition” countries, Brazil, Russia, India, China and South Africa, represent 41% of the global population. They have started to use currency swaps to bypass dollar system.

    He (Putin) intends to organize the BRICS countries (Brazil, Russia, India, China, and South Africa, and others) into a unified economic bloc rooted in asset-backed currencies such as metals-backed crypto tokens, with Bitcoin and other cryptocurrencies as a bridge.

    Last week, Algeria officially submitted its application to join BRICS. Could BRICS de-dollarize the world financial system?

    If accepted, the new proposed BRICS members would create an entity with a GDP 30% larger than the United States, over 50% of the global population and in control of 60% of global gas reserves.  

  • This Charming Man

    “..golden child of cryptocurrency..”
    “..crypto world’s white knight..”
    “..darling of Washington policy circle..”
    “..iconoclastic wunderkind..”
    “..I don’t know how I know, I just do. SBF is a winner..”

    I know I know.. it’s been sliced and diced all over the web and twitter. I am just making a mental note. I’m sure SBF and CE will never see a prison cell. They are both very connected. I gotta stop following this story or this Theranos story so I can sleep. (Her lawyers are attempting to convince the judge that she wasn’t a full grown adult when she formed Theranos.)

    Onto my home front, an old colleague showed me two of his ADU (Accessory Dwelling Unit). An ADU is an independent housing unit that may be added (attached or detached) to residential properties. His two ADU consisted of a converted garage and another is a freestanding unit. The rent he collects covers his mortgage. I could easily convert my garage into an ADU but I like keeping it as a garage. My neighbors, two doors down, added an attached ADU to their garage.

    I like their design better. Another idea I had was adding a modular home by Boxabl, BoneStructure, or pre-fab home by Studio Shed in the backyard. Going to meet with a designer with ADU experience next week to discuss further.

  • Heaven Knows I’m Miserable Now

    My life can be depicted in many different Morrissey or The Smiths song titles. “My Life Is a Succession of People Saying Goodbye”, “We Hate It When Our Friends Become Successful”, “The More you Ignore Me, The Closer I Get”, “Seasick, Yet Still Docked”. At this moment, Heaven Knows I’m Miserable Now.

    I have been training for the half marathon. Two months ago, after running ten miles, my knees started to tighten. My car was still a mile away but I thought I could easily run another mile. Bad judgement. My left knee gave out. After a week of rest, I thought I was ready to try again and ended up in urgent care. Pes Anserine Bursitis – inflammation of the bursa that sits between the shinbone and three tendons of the hamstring muscle, inside of knee. Injury is increased in distance runner especially those with weak gluteus medius like myself. Cortisone shot, a couple PT treatments, electrodes and targeted exercises enabled me to run again. However, I could no longer sprint. It was just too painful. My Physical Therapists advised against me running the half marathon. So tomorrow, I will be running the 5K instead. Don’t you hate it when your body fails you?

    Fortunately, I still have my head. Going in a different direction at work. Instead of changing the RMSOwner, I am hoping I can set up a DLP policy condition where Document property is ContentPropertyContainsWords .

    I read in a forum that “The DLP condition may be based on the managed property in SharePoint Search“. Setting up a managed property was pretty straight forward here and here. The latter sounded promising because of a property called SetBy which is the account name of the person applying the label. Yes, you can also get this information from the Activity Explorer but I wanted a DLP policy based on this condition.

    I checked the crawled property selection in SharePoint Admin and couldn’t find this “SetBy” property. Did Microsoft deprecate this crawled property? I looked at the File’s Properties –> Custom and couldn’t find it there

    I even checked the xml properties of the word document but to no avail (docProps –> custom.xml)

    More information on these properties can be found here. Subsequently, I opened a ticket with Microsoft.

    While I am waiting for Microsoft to get back to me, I found another interesting tidbit. There are custom properties in the File–>Info–> Properties–> Advanced Properties (of .docx, .xlsx, etc) that one can set. I set a value of “EXTERNALALLOWED” on the “Purpose” property.


    In Sharepoint Admin Center, open up Search and click on “Manage Search Schema”. In the “Managed Properties” tab, click on “new Managed Property” to create new one. I named mine “DLPDocPurpose“. Select “Queryable” and “Retrievable” then click on “Add a Mapping”. Here you select the crawled property. I typed the word “Purpose” (without quotes) and ows_Purpose and Purpose were displayed. I tested both and the former property is the crawled property that maps to Excel’s custom “Purpose” property.

    Once you set up this managed property, you can then use it in your DLP Policy. My example, I used it in an Exception condition as a test:

    This DLP policy will block attachments with certain sensitivity labels. However, if the DLP policy finds in the metadata, a DLPDocPurpose property (mapped to the Purpose custom property in the document) and the text is “EXTERNALALLOWED”, the email will not be blocked.

  • Going down the rabbit hole…

    I have posed this question on the internet and have been ridiculed. Sometimes company policies go against common sense but it’s not in my paygrade to debate company policies. My job is to enforce it even if it’s counterintuitive.

    Question: How do you prevent a creator of a document, protected by Azure Rights Management Service, from printing their document.

    Turns out you cannot prevent the creator of the document from performing actions on their own documents. The creator has a separate set of permissions, not affected by the protection level/sensitivity label on the document.

    However, you can change the creator / owner of the document through Power Shell via the Protect-RMSFile cmdlet. Azure Information Protection knows two PowerShell modules:

    AIPService (formerly AADRM- used to administer the protection service)

    Install-Module -Name AIPService
    Import-Module AIPService

    Confirm the version of the installed module

    (Get-Module AIPService -ListAvailable).Version 

    To see which cmdlets are available, type the following:

    Get-Command -Module AIPService

    AzureInformationProtection cmdlet – part of the Azure Information Protection Client used to protect files, label files and get information about files. You can download it here: but know this app is now in maintenance mode.

    Issue #1: I installed both and got the same outcome as this individual. Protect-RMSFile was missing!

    The following cmdlets were missing:

    Get-RMSFileStatus - Gets the RMS protection status of a specified file.
    Get-RMSServer     - Gets a list of RMS servers that can issue templates.
    Get-RMSServerAuthentication   - Gets the server mode status that is used for authentication to RMS.
    Get-RMSTemplate   - Gets a list of RMS templates.
    New-RMSProtectionLicense      - Creates an ad-hoc rights policy for RMS protection.
    Protect-RMSFile   - Protects a specified file / files in a specified folder by using RMS.

    Further googling showed that these cmdlets were deprecated for use in Azure Information Protection Unified Labelling client which I am using. This table shows the upgraded cmdlets:

    Issue #2: What was interesting was that I was still getting error messages (Invalid Operation) running Get-AIPFileStatus on a folder and file. I found the solution here. My admin account that was connected to AIPService was not configured to use the label policy. Once I published the policy to my admin account, I was able to run these cmdlets. And the hole deepens.

    Previously, I had remote desktop (as myself) unto another a computer and created a word document. Microsoft Office 365 on the remote computer is licensed to DLP2 and DLP2 was signed into the account. When I ran the Get-AIPFileStatus against this file, it showed DLP2 as the RMSOwner but RMSIssuer was me.

    Another hole to research at another time…

    The label is encrypted as displayed [IsRMSEncrypted = True]. I can change the RMSOwner which was my intention to begin with. Run the following with new cmdlets:

    Connect-AIPService
    
    $permissions = New-AIPCustomPermissions -Users "blahblah@blah.com" -Permissions CoOwner
    
    Set-AIPFileLabel '\\Path\Original\WhoIsTheOwner.docx'  -CustomPermissions $permissions
    
    Get-AIPFileStatus -Path '\\Path\\WhoIsTheOwner.docx'

    The last line will now display the new RMSOwner as myself. Since this document was protected by using custom permission (RMSTemplateName = Restricted Access), you have to re-protect the document again.

    Via remote desktop, DLP2 no longer can open the file. To re-protect document manually, I opened and resaved the file(via the network, not via remote desktop). The default sensitivity label was applied (disables print).

    or

    just run the above in this order and it will automatically re-protect the document.

    Connect-AIPService
    
    $permissions = New-AIPCustomPermissions -Users "blahblah@blah.com" -Permissions CoOwner
    
    Set-AIPFileLabel '\\path\WhoIsTheOwner.docx'  -RemoveLabel -RemoveProtection -JustificationMessage 'Reason for Removal'
    
    Set-AIPFileLabel '\\path\WhoIsTheOwner.docx'  -LabelId 650b58d3-778c-46fc-8326-00e569d9ba24
    
    Get-AIPFileStatus -Path '\\Path\\WhoIsTheOwner.docx'

    DLP2 can now open the file and VOILA – print is disabled! (Because DLP2 is no longer the owner)

  • Annoying Welcome Email

    Recently, I have been tasked with implementing DLP (Data Loss Prevention) policies at work. One optional precursor to DLP is setting sensitivity labels. While testing (i.e. publishing labels) to a test group, you need a catch-all permission group so that if you inadvertently send an email to someone outside the test group, they can still read the document. If not, they will get this error:

    My catch-all permission group is a dynamic group created in Azure AD based on Microsoft 365 Business Premium service plan:

    user.assignedPlans -any (assignedPlan.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" -and assignedPlan.capabilityStatus -eq "Enabled")
    

    Any new employee will automatically be put here so I don’t have to manually manage the group. Cool Beans! However, when you create a group, an annoying welcome email is sent to the entire members of the group. The last thing I want is a barrage of phone calls/emails enquiring about the group. Can’t disable in the UI. Fortunately, solution can be found in simple Power Shell scripts with one nuance….

    $UserCredential = get-Credential
    
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://blahblah.outlook.com/Powershell-LiveId -Credential $UserCredential -Authentication Basic -AllowRedirection
    
    Import-PSSession $session -DisableNameChecking
    
    Set-UnifiedGroup -Identity "GroupName" -UnifiedGroupWelcomeMessageEnable:$false

    Before running the last line, create the dynamic group first and configure the rule to include only you. You will get an error that the group doesn’t exist if you don’t create the group first. But then doing so will generate the email to everyone; hence, you add yourself first. Then you can run the last line above and go back and edit the dynamic group rule to include the service plan.

    And if you need the correct ConnectionURI, just run the below and grab everything before the “?”

    Connect-IPPSSession -Credential $UserCredential