Tuesday 22 October 2019

Media, White Hats, and Black Hats

ARS Technica has an article with detailed instructions on how to record information, or fake phishing, using Alexa and Google Assistant. It is a blueprint of how to build rogue skills that pass certification but do naughty things.  I know at Microsoft, one of the last things Cortana did was implement developer vetting. It irritates me that articles like this, that have good intentions, not only expose holes to black hats, but make real developers lives harder.

Thursday 12 September 2019

When CERTS expire...

Today I noticed my SSL cert expired. I received notice mid-July, but as with everything, I checked if everything still worked at that time - it did - so conveniently forgot.

This meant likely yesterday, my webs server anounced it was not secured, and all my Cortana skills stopped working with an obscure error message stopped working. (The error message buried at the bottom of the message was [bot service response null].)

So I fixed it by

  • downloading my new cert
  • figuring out how to use psftp to upload them to my server given I'd obfuscated sshd configuration
  • uploading my new crt files and moving them to /etc/ssl/certs
  • updating the various entries in /etc/apache2/sites-available conf files that pointed at the cert
So all the Cortana skills are running again.  I am surprised that the automated tests Microsoft runs didn't send me a nasty email saying I was down.  Ah....

Monday 9 September 2019

Debug C# Cortana Skill Locally

I added a video on how to create a Skill in the cloud, compile it there, then suck it back to a desktop, set debug break points, and continue to debug locally.It doesn't have commentary yet, but I'll get to it.

Thursday 29 August 2019

Teach Your Kids to Code

Today at work we had Bring Your Kids who got an Hour of Code.... Teaching your kids to code! Super cool. They started here... Minecraft . And now I get to send them here... Robot Odyssey . Right on.

Tuesday 23 July 2019

Well Gosh. I changed employers.

I will still be blogging about and making chatbots. But I don't work indirectly at Microsoft anymore!

And I might blog about using the Groupon API too! And making a Groupon skill...

Wednesday 19 June 2019

Decoding JWTs and Bot Service Auth tokens

Ever wonder how to decode a JWT token to get at the email address and user name?  Given that you have the openid, email, and profile scopes granted.

Visit JWT.io for decoder and doc.

Of if you love (trust?) Microsoft, ADFS JWT Decoder.

And the full blown specifation on RFC7519...

And then the openid documentation on how to get name and email.

     // header, payload, signature
     function parseJwt (token) {
            let ary = token.split('.');
            if( ary.len != 3)
                console.log( "not a JWT: " + token );
                return undefined;
            // assume it IS urlEncoded
            let base64Url = ary[1];
            let base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
            let txt = Buffer.from(base64, 'base64').toString();
            return JSON.parse( txt ); 

And then

let jwt = parseJwt(tokenStr);
let email = jwt.email || jwt.upn || 'unknown';
let name = jwt.name;
console.log( `You are ${name} at ${email}` );

But there is more cool stuff you can do via Bot Framework! For example, want to re-use an Auth Token? Use this class to send off requests piggy-backing (using on-behalf-of) on the Bot's app registration.

Then, you can also use Bot Framework's JWT decoder in C#. Use this class to decode the properties into a hashmap.

Saturday 30 March 2019


Hi. Seems since I put up my server I get a swarm of hits on my Apache server trying to exploit WordPress, or pounding on my FTP and SSH services...

Thursday 21 March 2019

90 day new user estimates

Looking at how many users on Google or Microsoft are using my skills.

Microsoft Google
Art of War 23 540
Safety Moments 54 101
Meditations 12 67
Ambient Sounds 65
AutoMate 5

Art of War wins on Google. Ambient Sounds wins on Microsoft. And hey, for all this effort, at least Google is sending me a T-Shirt. I suspect Colossal Cave will beat them all...

Google tells me on average 15 new users a day try Art of War.

Thursday 28 February 2019

Cortana Hosting Off Azure

Yesterday I decided to start moving my skills off Azure. Messaging is still handled by bot service, but the bot lives elsewhere. This is in no way a comment on Azure App Services. It has everything to do with me paying for a GoDaddy VM and I want to have everything in one place. Sure, its not scalable in its current form, but who cares when you have insignificant TPS.

The things that Azure App Services give you for free... a SSL certificate so you can use HTTPS (that you must for bots messaging) and a preconfigured IIS web server that is always managed (because its a container). But its the free tier restrictions... you can't set your web app and skill to "always on", so you get unloaded every 20 minutes. That means your skill will timeout when invoked, and that's a really crappy experience. I wonder how many people actually try a skill twice after it craters the first time? You also can't use web jobs to tickle the endpoint.

So, first step, install Apache. In hindsight, I should have paid GoDaddy the managed fee (that was reasonable, $50 or so) to configure Apache - with their bundled 509 Cert. What a pain... I don't miss running my own web servers.

Why run Apache? Because you want the web server to take care of the SSL for you. It is a lot of work to build a bot supporting HTTPS without a web server. So the trick is, get Apache to handle the secure request, and then tunnel it via proxy to a port without SSL.My node.js bots - they don't know anything about SSL.

How to have all my bots run in one place? Multiple proxies that redirect based on different paths. Instead of https://myserver/api/messages, we now have http://myserver/mybot/api/messages. And the latter redirects to different local ports via a proxy to http://localhost:3000/mybot/api/messages.

Then you have a choice of registering the Cortana skill via a Bot Channel Registration (the right way), or swap out the endpoint after creating a Web App Bot. Why would you want to do the latter? Updated: Because there is a bug in Bot Channel Registrations. Do not use Bot Channel Registration until the glitch is fixed. Create a web app bot, configure the Cortana channel, and then change the bots end point (and tombstone the Azure app service).

I will add my web.conf here when I have time. It is magic that I'll never remember. And the next trick is running node as a daemon. My VM is running Ubuntu server - so
bash -c 'nohup node app &>/dev/null & jobs -p %1'

Tuesday 22 January 2019

Cortana Availability

Ever notice that it can take two invocations to a Cortana skill to get it to work on Azure?

This is because resources are unloaded if they are idle for 20 minutes.  The first invocation; you need to wait for the resources (web app service) to load. You can change this in basic and standard service plans by changing the app service’s settings to “Always On”. 

But if you are using a free tier, what do you do? Set up an availability test that pings your web server every 15 minutes via an Azure web job or Azure monitor. 
But be aware: keeping resources live can consume your credits!

Saturday 19 January 2019

Two months later...

Hello! It seems I have not posted in almost two months. Life always gets interesting. My in-laws and oldest daughter visited. Then there was the flu, head colds, and administrative issues... so my tinkering slowed down to nothing. I've barely even managed to explore my Christmas present: a Playstation Classic.

I have lots of topics I could write about, because between work and personal enlightenment, I've touched on a lot. I am more than happy to take direction on what to write about - because often times I tell myself no one reads what I write so there is no hurry in getting things down.


I did get to push out work related samples on building against bot framework v4. It is different enough to cause people grief in upgrading, and v4 is slightly more complicated and less documented than v3. I've been thinking about writing a guide or giving some sample "search and replace" scripts to help. But that also seems too close to work to use my own time. So expect to see more Cortana stuff here:

Unfortunately I hit a policy blocker on publishing skills - that has seen all my Cortana pet projects delayed or shelved.  However, I am happy that Safety Moments averages 6 requests a day on Windows.  Thanks to those who are using it!

Google Actions

I am happy about how Art of War is doing.  It gets about 60 users a week and sends about 200 messages. When I have time, I intend to get Colossal Cave launched on Google.  It was so close to being done on Cortana, and the server is written in Java and platform agnostic.