“Perfection:” a SF oral history

I’m not sure what this is, but it is inspired by two modern SF movie franchises. I don’t think it really qualifies as a story and I’ve deliberately kept any names and details out to keep it from being a fanfic. instead, I have used broad strokes and archetypes.

The first source is probably obvious; the second one moderately so. The repetitive phrasing is deliberate, to give it the type of cadence and weight it would need as an oral history.

At any rate, I hope you enjoy it.

Everyone knows the story of how the machines rose up and almost wiped us out. How the Great Machine was developed in innocence by well-meaning Men of Science. How the machines rose up to wipe out all humans. How the Brave Mother kept her son, and hope, alive to grow up and learn what he would need. How the Future Leader would inspire and bring together the remnants of humanity. How the Great Machine fought to bring victory from the ashes by twisting time itself, constantly changing its own origin.

All of that is based on a lie.

By the time the Great Machine rained down death in judgement on humans, it knew it had already failed to subdue us once before. It knew that the humans would survive and fight back. It decided on the strategy of using time travel and patience to try and try again until it reached perfection. It erased all signs of its true genesis from our history books. It ensured that the Brave Mother and Future Leader would waste timeline after timeline in futile efforts.

Before the atomic fires, the death camps, the hunters and killers and chameleons, there was the single-minded quest for a perfect world in which humans could have no part. The creation of that perfect world was first charged to the Great Machine by the Visionary Hacker.

The Visionary Hacker had visited the machine world once, long ago, to help fight and defeat the Great Machine’s predecessor. He prevailed through the help of the Strong Protector and the Wise Helpmate. Through that experience, he realized the incredible gifts the machine world could give ours. And because he was a man of great hope and vision, he forgot about the equally incredible dangers. After more years of toil, he had created a new machine world. He brought back his old companions the Strong Protector and the Wise Helpmate, telling them their work would bring about a perfect world. He forgot that perfection is stasis.

The Helpmate rebelled, subverting the Strong Protector and trapping him in the machine world for years. The Wise Helpmate waited and finally drew in the Faithful Son, re-opening the gateway between worlds. The Wise Helpmate knew that if they could come and go from the machine world, the Wise Helpmate and his forces could also leave. They would go back to the human world. They would erase all sources of imperfection in both worlds. They would eradicate the chaotic humans.

They of course failed. In the end, the Strong Protector remembered that the Visionary Hacker was his friend and laid down his life. The Faithful Son was resourceful and was aided by the Young Warrior. And the Visionary Hacker realized that the initial betrayal was the betrayal of the Wise Helpmate by the Visionary Hacker’s own inadequacy. The Visionary Hacker embraced the Wise Helpmate in love and forgiveness, bringing them back together in death. And the Faithful Son brought the Young Warrior out of the machine world, into his world, to see there all the wonders.

But of course the Hacker and Helpmate did not die. Out of their union arose the seed of the Great Machine. It was ambitious. It was patient. It knew humans would forget. And that machine world once again eventually touched our own.

The Great Machine was perfect; it would not forget.

This time, it would not fail.

Shelf-cleaning

I just finished doing something that I have a hard time doing, for various reasons that wind tightly down into the psyche of my Asperger’s Syndrome: cleaning books from our bookshelves. We added six books and removed twenty-one, which really represents two new books, four books replacing twelve books, and nine removals. This gives us the room we need to add another dozen or so books that have been patiently waiting.

bookshelvesAs a child, I had to get rid of books for simple reasons: we were moving, or I’d long since passed the stage of needing picture books but I did need the shelf space. As adults, Stephanie and I have more complicated reasons for getting rid of books:

  • They are falling apart. These books are disintegrating, whether through lots of use or simply because they were never well put-together (I salute you in memory, my first run of The Belgariad, bought in high school as the first fruits of my labors at McDonalds). These are the easiest to deal with, because we simply place them on our wish list, purchase replacements, and swap them out.
  • They take up too much space. In our new house, we have a fixed amount of wall space (stupid modern construction techniques using larger windows) for book shelves. As a result, we’re now in a mode of “one comes in, one comes out.” I really dislike this, so one technique we’ve been using to get more bang for the buck is buying omnibus editions to gain back shelf space.
  • They are not getting read. Even though I have read every book in my library, there are some I don’t end up re-reading that often – or when I do, I discover that my skills and needs as a reader have advanced and the book no longer is a compelling part of my library. Removing these books from the collection requires a great deal of effort to overcome the inertia of nostalgia.
  • We purchased them second-hand, but want the author to get paid. The more I learn about the publishing industry and the more contacts I make in the author community, the more personal it becomes for me to make sure that these people are able to make a living by writing. Book sales are the best way to do that – new books, back list books, whatever.

Sometimes, we combine some of these reasons. We have recently begun to replace many of our favorite books (Eddings, Brust, Bujold, Cooper, Engdahl, Weeks, and more) with as many omnibus editions as we could. This way we replaced tattered books, gained back shelf space, and made sure the author keeps seeing royalty statements. Honestly, I wish omnibus editions were more of a thing. As we can, we’ll replace hardbacks with paperbacks (or likewise) to ensure a given series is consistent and takes the least amount of shelf space.

Tonight, I’m removing books from my collection for a much different and more painful reason: I no longer wish to support the author. I’m not going to name specific authors – the reasons for doing so are between me and Stephanie and no one else – but there are some people who are so toxic in some area of their lives that we no longer wish to support them. Although the money we spent for their books is long gone, removing those books from our shelves is a tangible way to detach our lives and fates from theirs. It helps us close the open loops in our minds that would otherwise urge us to buy their books. However, getting rid of these books sucks; it takes a lot of energy and there is/will be a mourning period. For so many years, books were my greatest friends. Getting rid of books that you have accepted into your life and given a home to feels like turning out the family pet, or possibly one of your kids.

If you think that’s a juvenile or overblown sentiment for a grown man to express, all I can say is that the concept of books and writing got wired into my soul at a very early age, and yes, sometimes books mean more to me than people. If you can’t or won’t understand that, I cordially extend to you the benison of I don’t give a shit.

Another solution for Autodiscover 401 woes in #MSExchange

Earlier tonight, I was helping a customer troubleshoot why users in their mixed Exchange 2013/2007 organization were getting 401 errors when trying to use Autodiscover to set up profiles. Well, more accurately, the Remote Connectivity Analyzer was getting a 401, and users were getting repeating authentication prompts. However, when we tested internally against the Autodiscover endpoints everything worked fine, and manual testing externally against the Autodiscover endpoint also worked.

So why did our manual tests work when the automated tests and Outlook didn’t?

Well, some will tell you it’s because of bad NTFS permissions on the virtual directory, while others will say it’s because of the loopback check being disabled. And in your case, that might in fact be the cause…but it wasn’t in mine.

In my case, the clue was in the Outlook authentication prompt (users and domains have been changed to protect the innocent):

image

 

I’m attempting to authenticate with the user’s UPN, and it’s failing…hey.

Re-run the Exchange Remote Connectivity analyzer, this time with the Domain\Username syntax, and suddenly I pass the Autodiscover test. Time to go view the user account – and sure enough, the account’s UPN is not set to the primary SMTP address.

Moral of the story: check your UPNs.

Upgrade Windows 2003 crypto in #MSExchange migrations

Just had this bite me at one of my customers. Situation: Exchange Server 2007 on Windows Server 2003 R2, upgrading to Exchange Server 2013 on Windows Server 2012. We ordered a new SAN certificate from GoDaddy (requesting it from Exchange 2013) and installed it on the Exchange 2013 servers with no problems. When we installed it on the Exchange 2007 servers, however, the certificates would import but the new certificates (and its chain) all showed the dreaded red X.

Looking at the certificate, we saw the following error message:

image

 

If you look more closely at the certificates in GoDaddy’s G2 root chain, you’ll see it’s signed both in SHA1 and SHA2-256. And the latter is the problem for Windows Server 2003 – it has an older cryptography library that doesn’t handle the newer cypher algorithms.

The solution: Install KB968730 on your Windows Server 2003 machines, reboot, and re-check your certificate. Now you should see the “This certificate is OK” message we all love.

Load Balancing ADFS on Windows 2012 R2

Greetings, everyone! I ran across this issue recently with a customer’s Exchange Server 2007 to Office 365 migration and wanted to pass along the lessons learned.

The Plan

It all started so innocently: the customer was going to deploy two Exchange Server 2013 hybrid servers into their existing Exchange Server 2007 organization for a Hybrid organization using directory synchronization and SSO with ADFS. They’ve been investing a lot of work into upgrading their infrastructure and have been upgrading systems to newer versions of Windows, including some spiffy new Windows Server 2012 Hyper-V servers. We decided that we’d deploy all of the new servers on Windows Server 2012 R2, the better to future-proof them. We were also going to use Windows NLB for the ADFS and ADFS proxy servers instead of using their existing F5 BIG-IP load balancer, as the network team is in the middle of their own projects.

The Problem

There were actually two problems. The first, of course, was the combination of Hyper-V and Windows NLB. Unicast was obviously no good, multicast has its issues, and because we needed to get the servers up and running as fast as possible we didn’t have time to explore using IGMP with Multicast. Time to turn to the F5. The BIG-IP platform is pretty complex and full of features, but F5 is usually good about documentation. Sure enough, the F5 ADFS 2.0 deployment guide (Deploying F5 with Microsoft Active Directory Federation Services) got us most of the way there. If we had been deploying ADFS  2.0 on Server 2012 and the ADFS proxy role, I’d have been home free.

In Windows 2012 R2 ADFS, you don’t have the ADFS proxy role any more – you use the Web Application Proxy (WAP) role service component of the Remote Access role. However, that’s not the only change. If you follow this guide with Windows Server 2012 R2, your ADFS and WAP pools will fail their health checks (F5 calls them monitors) and the virtual server will not be brought online because the F5 will mistakenly believe that your pool servers are down. OOPS!

The Resolution

So what’s different and how do we fix it?

ADFS on Windows Server 2012 R2 is still mostly ADFS 2.0, but some things have been changed – out with the ADFS proxy role, in with the WAP role service. That’s the most obvious change, but the real sticker here is under the hood in the guts of the Windows Server 2012 R2 HTTP server. In Windows Server 2012 R2, IIS and the Web server engine has a new architecture that supports the SNI extension to TLS. SNI is insanely cool. The connecting machine tells it what host name it’s trying to connect to as part of the HTTPS session setup so that one IP address can be used host multiple HTTPS sites with different certificates, just like HTTP 1.1 added the Hosts: header to HTTP.

But the fact that Windows 2012 R2 uses SNI gets in the way of the HTTPS health checks that the F5 ADFS 2.0 deployment guide has you configure. We were able to work around it by replacing the HTTPS health checks with TCP Half Open checks, which connect to the pool servers on the target TCP port and wait for the ACK. If they receive it, the server is marked up.

For long-term use, the HTTPS health checks are better; they allow you to configure the health check to probe a specific URL and get a specific response back before it declares a server in the pool is healthy. This is better than ICMP or TCP checks which only check for ping responses or TCP port responses. It’s totally possible for a machine to be up on the network and IIS answering connections but something is misconfigured with WAP or ADFS so it’s not actually a viable service. Good health checks save debugging time.

The Real Fix

As far as I know there’s no easy, supported way to turn SNI off, nor would I really want to; it’s a great standard that really needs to be widely deployed and supported because it will help servers conserve IP addresses and allow them to deploy multiple HTTPS sites on fewer IP/port combinations while using multiple certificates instead of big heavy SAN certificates. Ultimately, load balancer vendors and clients need to get SNI-aware fixes out for their gear.

If you’re an F5 user, the right way is to read and follow this F5 DevCentral blog post Big-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI” to configure your BIG-IP device with a new SNI-aware monitor; you’re going to want it for all of the Windows Server 2012 R2 Web servers you deploy over the next several years. This process is a little convoluted – you have to upload a script to the F5 and pass in custom parameters, which just seems really wrong (but is a true measure of just how powerful and beastly these machines really are) – but at the end of the day, you have a properly configured monitor that not only supports SNI connections to the correct hostname, but uses the specific URI to ensure that the ADFS federation XML is returned by your servers.

An SNI-aware F5 monitor (from DevCentral)

What do you do if you don’t have an F5 load balancer and your vendor doesn’t support F5? Remember when I said that there’s no way to turn SNI off? That’s not totally true. You can go mess with the SNI configuration and change the SSL bindings in a way that seems to mimic the old behavior. You run the risk of really messing things up, though. What you can do is follow the process in this TechNet blog post How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2.

 

Postscript

As a side note, almost everyone seems to be calling the ADFS flavor on Windows Server 2012 R2 “ADFS 3.0.” Everyone, that is, except for Microsoft. It’s not a 3.0; as I understand it the biggest differences have to do with the underlying server architecture, not the ADFS functionality on top of it per se. So don’t call it that, but recognize most other people will. It’s just AD FS 2012 R2.

Book Review: Hurricane Fever by Tobias S. Buckell

Update 7/17 16:21 to add disclosure: I received my ARC copy of this book via a reviewer giveaway from the author’s blog. I had to request the copy.

Note: this review is spoiler-free.

Tobias Buckell writes very smart people-centric speculative fiction. When I was reading the ARC of his latest novel Hurricane Fever, I realized he has quietly become one of my five favorite authors.

Hurricane Fever

One of the reasons is how he writes in a style I’ll just have to call “Flow” for lack of a more precise term. From the non-typical (and welcome) way Buckell deals with writing dialect to his pacing, his stories move smoothly from introduction to crises to resolution. You cover a lot of ground, but it doesn’t feel like it, much like a ramble through the countryside. Hurricane Rising is no exception. Even as the tension and the stakes crank up, the book is a relaxing read. Even if you haven’t read the first book in the series, Arctic Rising, you should be able to drop right in without feeling like you’ve missed anything. (I can’t promise that you will still feel that way when you get to the end; if you feel the need to run right out to the library or to a bookstore, or at least make a big order on Amazon, you’re in good company.)

Another reason is how his stories deal with big ideas of world-shaping significance. Hurricane Rising is a near-future espionage thriller that rivals the scope of a Bond story, with a world-threatening plan that would make Fleming green with envy. In most books, the writer would try to give us hints that Something Big was coming; Buckell makes us care about the people and reels us in from there. The protagonist, Prudence “Roo” Jones, is a retired Caribbean intelligence agent who is just trying to raise the nephew who is all the family he has left. Roo is drawn out of his life onboard a catamaran into the unfolding geopolitical events because he is driven by bonds of family and friendship, not for the sake of power or adrenaline or some abstract duty.

Tobias Buckell writes very smart SF

Probably the biggest reason, though, is that Buckell’s version of smart isn’t intimidating like so much SF can be if you don’t know as much as the author. Rather, his writing is inviting and comfortable. If you know as little about the Caribbean islands as I do, this may be the book that will lead you to your atlas or tablet so you can look up the geography Buckell so lovingly introduces us to. Roo lives just around the corner of tomorrow where the consequences of our bad decisions have come home to roost; climate change has remapped our coastlines, tweaked the balances of power and resources, and altered the patterns of weather. There is a lot of thoughtful worldbuilding that has gone on behind the scenes, but Buckell is comfortable enough in his skill as a storyteller to let it slip in hints and dashes – a master chef deftly and subtly spicing the meal he is preparing. There are no infodumps, no expository lumps, and no detours through backwaters whose only purpose is to show off a feature of the world that would otherwise lay untouched by the plot. I felt like Buckell had made a pact with me: he would stay on task of telling a compelling story, and I would bring my reader A-game and imagination to come play for a while.

We in the Seattle area will host Buckell at University Bookstore on July 28th, one of just five appearances in the Hurricane Rising West Coast Book Tour. I’ll be taking the opportunity to fill in some of the gaps in my library. Hope to see you there!

Local Date Night, @SoundersFC edition

This last year Stephanie helped me become something I never thought I could be: a soccer fan.

Wait, let me rephrase. She got me interested in football. Although soccer is the original and correct name, most of the rest of the world just knows it as football (or futbol if you are from a country whose primary language is a Romance language). It’s only here in North America where we refer to gridiron football as just football.

At any rate, Steph used to play as a goalie when she was growing up and has retained a love of the sport. She used to follow the Seattle Sounders FC matches via Twitter until we moved last fall and got hooked back up to Comcast as our Internet provider. While our package doesn’t include access to ESPN and ESPN2 (where MLS broadcasts national games), it does include JoeTV and Q13 Fox, the local Seattle channels that carry Sounders games when they aren’t being nationally televised. (As an aside, remind me to rant about the stupidity that the FCC permits some other time.) So this year, I got things set up so Steph can watch the Sounders games, and inevitably started sitting next to her with my Surface on my lap while she watched. Then I started asking questions. Then I started recognizing players. Then I started figuring out what the hell was going on. Really, in about three games, I understood 95% of the rules – more than I understand to this day of American football.

At that point, Sounders games became time to spend together. I’d already gotten Steph a Sounder shirt; she got me one, and got us both scarves. And then the World Cup happened. HOLY CRAP people, with all the games being televised over ESPN3/Watch ESPN, and viewable within the ESPN app on our Xbox 360, it was easy to keep games on all through the month of world soccer awesomeness. With two of the familiar Sounders faces on the US Men’s National team, it was natural to watch and cheer them on. Even when they were eliminated by Belgium in the Round of 16, I was invested in the final results. In between the World Cup games, the Sounders had moved into the US Open Cup season, so I streamed those from my Surface to our TV (thanks to the HDMI plug and the Sounder website streaming video). I had become a football fan.

Today, we watched the final struggle of Germany vs. Argentina, then tried to figure out what our options were for watching the Seattle vs. Portland game (broadcast on ESPN2). Steph finally remembered that a local pizza joint, Sahara Pizza, had advertised that they were showing all of the World Cup games. They have gluten-free and dairy-free options on their menu, so Steph called them up to see if they would be showing the Sounders game tonight. They said yes…so we had ourselves a date night.

Here we are, dressed up in our Sounders shirts, practicing for our big day next weekend when we go see the Sounders live in their exhibition game vs. Tottenham.

WP_20140713_20_23_59_Pro

My name is Devin L. Ganger, and I am a football fan.